Skip to main content
You are viewing content for . View content for other locations.
×

Paypal Data Protection Addendum

Jump to section:



Updated Data Protection Addendum

Effective Date October 1, 2021 for existing US Merchants or immediately for US Merchants who sign up after August 31, 2021

This PayPal Data Protection Addendum for Card Processing Products (this "Addendum") applies to any product, service, or other offering where PayPal provides card processing, gateway and/or fraud protection services (the "Payment Services") to you. This Addendum does not apply to PayPal wallet services such as pay with PayPal, Venmo, or PayPal’s pay later offers. This Addendum forms part of the applicable agreement between you ("you" or "Merchant") and PayPal, Inc. ("PayPal") that governs PayPal’s provision of the card processing services to you (the "Agreement") and is incorporated by reference therein. In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined in this Addendum have the meaning set out in the Agreement.

This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice posted or provided to you in connection with this Addendum. We may amend this Addendum from time to time. The revised version will be effective at the time we post it on our website, unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the "Policy Updates" page of our website within the timeframe required by the Agreement. If you do not agree with any change to this Addendum, you may discontinue your use of the Payment Services.

1. Definitions

The following terms have the following meanings when used in Part A of this Addendum:

"Controller" means an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar data protection and privacy roles) is defined in Data Protection Law, "Controller" shall have the meaning as defined in the applicable Data Protection Law including a "Business" as defined in the CCPA.

"Customer" means your customers who use the Payment Services in the United States and for the purposes of Part A of this Addendum, are data subjects.

"Customer Data" means the Personal Data that (i) the Customer provides to you and you pass on to PayPal through the use by you of the Payment Services and (ii) PayPal may collect from the Customer’s device and browser through use by you of the Payment Services.

"Data Protection Laws" means any applicable data protection laws, regulations, directives and regulatory requirements applicable to PayPal’s provision of the Payment Services, including any amendments thereto and any associated regulations or instruments (e.g., the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”), the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 (Cth) the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).

"Personal Data" means any information relating to an identified or identifiable natural person (a "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Process" or "Processed" or "Processing" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.

2. PayPal as a Controller

PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Processing of Customer Data under this Addendum (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Customer Data) and shall not knowingly do anything or permit anything to be done with respect to the Customer Data that likely would lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Customer Data to third parties, sub-processors or members of the PayPal Group Entity who shall sign written agreements which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Addendum.

3. Processing of Customer Data in Connection with the Payment Services

The parties acknowledge and agree that Merchant and PayPal are each independent Controllers in respect of all Customer Data Processed in connection with the Payment Services. As such, PayPal independently determines the purpose and the means of the Processing of such Customer Data and is not a joint Controller with Merchant with respect to such Customer Data. The parties acknowledge and agree that PayPal is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:

  • as reasonably necessary to provide and improve the Payment Services to Merchant and Merchant’s Customers, including fraud protection tools;
  • to monitor, prevent, and detect fraudulent payment transactions and to prevent harm to Merchant, PayPal, and to third parties,
  • to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
  • to analyze, develop, and improve PayPal’s products and services;
  • internal usage, including but not limited to, data analytics and metrics;
  • to compile and disclose Customer Data and payment transaction data in the aggregate where Merchant’s individual or Customer Data is not identifiable, including calculating Merchant’s averages by region or industry;
  • complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
  • any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.

4. Merchant Notice to Customers

Merchant shall use commercially reasonable efforts to (i) notify Customers in their privacy policy that PayPal is an independent Controller for the purpose of Processing Customer Data and (ii) include a link to the PayPal privacy statement available at www.paypal.com in Merchant’s privacy policy.

5. Mutual Assistance

The parties agree to co-operate with each other to the extent reasonably necessary to enable the other party to adequately discharge their responsibility as an independent Controller under Data Protection Laws. The parties agree that to the extent Merchant receives a subject access request or any exercise by a Customer of its rights under Data Protection Laws, Merchant shall respond to such Customer’s access request directly. Merchant also shall inform the Customer that they may exercise their data subject rights in connection with the Payment Services with PayPal according to the instructions described in the Privacy Statement available at www.paypal.com r. In addition, if in connection with any Security Incident, PayPal determines in its sole discretion that it must notify affected Customers and PayPal does not have the necessary contact information about an affected Customer to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about Customers that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Customers under Data Protection Laws.

6. Cross Border Data Transfers

We each agree that PayPal may transfer Customer Data Processed under the Agreement outside the country where it was collected as necessary to provide the Payment Services. If PayPal transfers Customer Data to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, PayPal will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with the applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, PayPal relies on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Customer Data to other members of the PayPal Group.

With respect to your data transfers to PayPal Inc. of your Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, the parties each agree that (i) your signing of the Agreement will be deemed to be signature and acceptance of the Controller to Controller Standard Contractual Clauses approved by EC Commission Decision of 27 December 2004 (C(2004)5721) ("C2C Transfer Clauses") by Merchant, as the data exporter and (ii) PayPal’s signature of this Agreement will be deemed to be signature and acceptance of the C2C Transfer Clauses by PayPal, as the data importer. In the event the European Commission revises and thereafter publishes new C2C Transfer Clauses or as otherwise required or implemented by the European Commission, the parties agree that such new C2C Transfer Clauses will supersede the present C2C Transfer Clauses. The C2C Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:

  • PayPal agrees it will process the Customer Data in accordance with Set II, clauses II(h)(iii) of the C2C Transfer Clauses and by signing the Agreement it will be deemed to duly initial and accept such clause II(h)(iii); and

  • The parties agree that the details required under the C2C transfer Clauses Annex B are as set forth on Attachment 1.

Attachment 1

C2C Transfer Clauses Annex B

Data subjects

The personal data transferred concern the following categories of data subjects:

The data exporter and its Customers.

Purposes of the transfer(s)

The transfer is made for the following purposes:

Performance of the services provided by data importer to data exporter in accordance with the Agreement.

Categories of data

The personal data transferred may include the following categories of data:

Customer name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by PayPal under the Agreement.

Recipients

The personal data transferred may be disclosed only to the following recipients:

The importer’s service providers, affiliates, and personnel performing services in accordance with the Agreement.

Sensitive data (if appropriate)

The personal data transferred concern the following categories of sensitive data:

Not applicable, unless Merchant configures the service to capture such data.

Data protection registration information of data exporter (where applicable)

Not applicable.

Additional useful information (storage limits and other relevant information)

As set forth in the Agreement.

Contact points for data protection enquiries

Data importer: Contact points for Data importer can be found in the Agreement.

Data exporter: Contact points for Data importer can be found in the Agreement.

Current Data Protection Addendum

Effective Date: January 29, 2021 to September 30, 2021

This Data Protection Addendum for Card Processing Products (this "Addendum") forms part of the applicable agreement between you ("you" or "Merchant") and PayPal, Inc. ("PayPal") which governs PayPal’s provision of the direct card processing services to you (the "Agreement") and is incorporated by reference therein. It applies to any product, service, or other offering where PayPal provides direct card processing and/or fraud protection services (the "Payment Services") to you. This Addendum does not apply to PayPal wallet services such as pay with PayPal, Venmo, or PayPal’s pay later offers.

Part A of the Addendum applies when PayPal provides Payment Services to you in the United States and performs such Payment Services as a Service Provider. Part B of the Addendum applies if and when PayPal provides Payment Services to you outside of the United States and performs such services as a Data Controller. In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined in this Addendum have the meaning set out in the Agreement.

Part A – Data Protection Terms (United States Only) – PayPal as a Service Provider

1. Definitions

The following terms have the following meanings when used in Part A of this Addendum:

"Customer" means your customers who use the Payment Services in the United States and for the purposes of Part A of this Addendum, are data subjects.

"Customer Data" means the Personal Data that (i) the Customer provides to you and you pass on to PayPal through the use by you of the Payment Services and (ii) PayPal may collect from the Customer’s device and browser through use by you of the Payment Services.

"Data Protection Laws" means any data protection laws, regulations, and regulatory requirements applicable to PayPal’s provision of the Payment Services in the United States, including, without limitation, the California Consumer Privacy Act of 2018 (CCPA), including any implementing regulations issued by the California Attorney General, but only to the extent applicable to the provision of the Payment Services under this Agreement.

"Personal Data" means any information relating to an identified or identifiable natural person (a "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Process" or "Processed" or "Processing" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.

"Security Incident" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by PayPal.

"Service Provider" has the meaning set out in the CCPA.

2. Processing of Personal Data in Connection with the Payment Services

2.1 PayPal as a Service Provider

When PayPal provides Payment Services to Merchant within the United States, PayPal shall perform such services as a Service Provider with respect to the Processing of Customer Data, including the Personal Data of Customers and other natural persons, households, and entities only for the purposes specified in the Agreement. Merchant agrees to provide to PayPal only the Customer Data that is necessary for PayPal to provide the Payment Services. The parties acknowledge and agree that PayPal is permitted to use, reproduce, and process Customer Data and payment transaction data for the following limited purposes:

  • as reasonably necessary to provide and improve the Payment Services to Merchant and Merchant’s Customers, including fraud protection tools;
  • to monitor, prevent, and detect fraudulent payment transactions, and to prevent harm to Merchant, PayPal, and to third parties;
  • to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
  • to analyze, develop, and improve PayPal’s products and services;
  • internal usage, including but not limited to, data analytics and metrics;
  • to compile and disclose Customer Data and payment transaction data in the aggregate where Merchant’s individual or Customer Personal Data is not identifiable, including calculating Merchant’s averages by region or industry;
  • complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
  • any other purpose that PayPal notifies you of and in accordance with Data Protection Laws.

2.1.2 PayPal will comply with the requirements of the Data Protection Laws with respect to the use of Personal Data under the Agreement and will not knowingly do anything or knowingly permit anything to be done with respect to the Personal Data which might lead to a breach by Merchant of the Data Protection Laws.

2.1.3 With regard to any Customer Data to be processed by PayPal in connection with the Agreement, Merchant will be responsible for determining the primary purposes for which, and the manner in which, Customer Data are, or are to be, Processed.

2.1.4 The parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the Payment Services being rendered by PayPal and not in exchange for Merchant providing Personal Data in connection with the Payment Services.

2.1.5 Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA or any applicable Data Protection Laws, PayPal is prohibited from collecting, retaining, using, selling, or disclosing Personal Information except as necessary for the purpose of performing the Payment Services specified in the Agreement.

2.2 Customer Requests

PayPal will, to the extent legally permitted, promptly notify you in the event PayPal receives a request from a Customer for access to, or correction, amendment, or deletion of, that Customer’s Personal Data. PayPal will not respond to any such Customer request without your prior written consent except to confirm that the request relates to you and you hereby consent to such communication with your Customer by PayPal. PayPal will provide you with commercially reasonable cooperation and assistance in relation to the handling of a Customer’s request for access to that Customer’s Personal Data, provided that such cooperation and assistance is legally permitted and to the extent you do not have access to such Customer Data through your use of the Payment Services. PayPal and you acknowledge and agree that PayPal is authorized under applicable law to retain and process such Customer Data pursuant to applicable law, including, without limitation, any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions, and/or exclusions set forth in California Civil Code § 1798.145).

2.3 PayPal Personnel

PayPal will ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Such confidentiality obligations will survive the termination of the applicable personnel’s engagement. PayPal undertakes to provide its personnel with training as necessary from time to time with respect to PayPal's obligations in Part A of this Addendum so that PayPal personnel are aware of, and comply with, such obligations. Access by PayPal’s personnel to Customer Data is limited to those personnel performing Payment Services in accordance with the Agreement.

2.4 Technical and Organizational Measures

PayPal will, as a minimum, implement and maintain appropriate technical and organizational measures, as described below, to keep Customer Data secure and to protect it against unauthorized or unlawful Processing and accidental loss, destruction, or damage in relation to the provision of the Payment Services. You understand and agree that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative technical and organizational measures as long as the security level of the measures is maintained in relation to the provision of the Payment Services. In the event of any detrimental change, PayPal will provide a notification together with any necessary documentation to you by email or publication on a website easily accessible by you.

Technical and organizational measures include:

2.4.1 Measures to prevent any unauthorized person from accessing the facilities used for Processing Customer Data (e.g., secured access, badges);

2.4.2 Measures to prevent Customer Data from being read, copied, amended, or moved by any unauthorized persons (e.g., Customer Data kept in locked premises);

2.4.3 Measures to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment, or deletion of the recorded Customer Data (e.g., restricted access to the IT infrastructure);

2.4.4 Measures to prevent data processing systems from being used by any unauthorized person using data transmission facilities (e.g., firewalls);

2.4.5 Measures to limit an authorized person’s use and access to an automated data processing system such that the authorized person may only access Customer Data that are within their competence (e.g., specific user accounts);

2.4.6 Measures to check and record the identity of third parties to whom the Customer Data can be transmitted by transmission facilities (e.g., VPN, encryption of Customer Data);

2.4.7 Measures to check and record the identity of persons who have had access to the information system and any data introduced into the system ex post facto at any time and by any authorized person;

2.4.8 Measures to prevent Customer Data from being read, copied, amended, or deleted in an unauthorized manner when such Customer Data are disclosed or transported; and

2.4.9 Measures to safeguard Customer Data by creating backup copies (e.g., encryption of data backups).

2.5 Security Incidents

If PayPal becomes aware of a Security Incident in connection with the Processing of Customer Data and if there is a reasonable likelihood of material harm to a material part of the PayPal systems relating to the Payment Services provided to you, PayPal will, in accordance with the Data Protection Laws: (a) notify you of the Security Incident promptly and without undue delay and (b) promptly take reasonable steps to minimize harm and secure Customer Data.

Details of Security Incident. Notifications made under this Section will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.

Communication. PayPal will deliver its notification of any Security Incident to one or more of your administrators via email. You are solely responsible for maintaining current and accurate contact information with PayPal, including for your administrators.

2.6 Deletion

Upon termination or expiration of the Agreement, PayPal will delete or return to you all Customer Data Processed on your behalf, and PayPal will delete existing copies of such Customer Data except where authorized by the Data Protection Laws or where retention is necessary to comply with applicable law.

2.7 Certification

The parties will comply with the applicable Data Protection Laws at all times. PayPal hereby certifies that it understands and agrees to the terms of this Data Protection Addendum.

2.8 Merchant Notices

You undertake to provide all notices and obtain all consents necessary for PayPal’s use of Personal Data set out above.

Part B – Data Protection Terms (Global other than the United States) – PayPal as a Data Controller

1. Definitions

The following terms have the below meanings when used in Part B of this Addendum:

"Controller" means an entity that determines the purposes and means of the Processing of Personal Data, or, if such term (or terms addressing similar functions) in defined in Data Protection Law, "Controller" shall have the meaning as defined in the applicable Data Protection Law.

"Customer" means Merchant’s customers who use the Payment Services outside of the United States and for the purposes of Part B of this Addendum, are data subjects.

"Customer Data" means the Personal Data that (i) the Customer provides to Merchant and Merchant passes on to PayPal through the use by Merchant of the Payment Services and (ii) PayPal may collect from the Customer’s device and browser through use by Merchant of the Payment Services. Customer Data, as used in Part B of this Addendum, does not include Personal Data of Merchant’s United States customers.

"Data Protection Laws" means any applicable data protection laws, regulations, directives, regulatory requirements and codes of practice applicable to the provision of the Payment Services including any amendments thereto and any associated regulations or instruments (e.g., the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 (Cth), the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)), but only to the extent applicable to the provision of the Payment Services under this Agreement.

"PayPal Group" means PayPal, Inc. and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls. Such entities shall include, without limitation, PayPal (Europe) S.à r.l. et Cie, S.C.A., PayPal do Brasil Serviços de Pagamentos Ltda., PayPal Australia Pty Ltd., PayPal Hong Kong Limited., PayPal Payments Private Limited, Operadora PayPal de México S. de R.L. de C.V, PayPal Canada Co. and PayPal Pte. Ltd.

"Personal Data" means any information relating to an identified or identifiable natural person (a "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Process" or terms addressing similar functions when used in Part B of this Addendum shall have the meaning as defined in the applicable Data Protection Laws.

2. PayPal As Data Controller Outside of the United States

PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the use of Customer Data under Part B of this Addendum (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Personal Data) and shall not knowingly do anything or permit anything to be done with respect to the Personal Data which might lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Personal Data to third parties, sub-processors or members of the PayPal Group for the purposes of providing the Payment Services and shall have written agreements with such third parties and sub-processors which contain terms for the protection of Customer Data, which are no less protective than the terms set out in Part B of this Addendum.

3. Processing of Personal Data in Connection with the Payment Services outside of the United States

When PayPal provides Payment Services to Merchant outside of the United States, PayPal shall perform such services as an independent Controller with respect to the Processing of Customer Data. The parties acknowledge and agree that Merchant and PayPal are each independent Controllers in respect of all Personal Data Processed in connection with the Payment Services provided outside of the United States. As such, PayPal independently determines the purpose and the means of the Processing of such Customer Data and is not a joint Controller with Merchant with respect to such Customer Data.

The parties acknowledge and agree that PayPal is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:

  • as reasonably necessary to provide and improve the Payment Services to Merchant and Merchant’s Customers, including fraud protection tools;
  • to monitor, prevent, and detect fraudulent payment transactions and to prevent harm to Merchant, PayPal, and to third parties,
  • to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
  • to analyze, develop, and improve PayPal’s products and services;
  • internal usage, including but not limited to, data analytics and metrics;
  • to compile and disclose Customer Data and payment transaction data in the aggregate where Merchant’s individual or Customer Personal Data is not identifiable, including calculating Merchant’s averages by region or industry;
  • complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
  • any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.

4. Merchant Notice to Customers

Merchant shall use commercially reasonable efforts to (i) notify Customers in their privacy policy that PayPal is an independent Controller for the purpose of Processing Customer Data as described in Part B of this Addendum and (ii) include a link to the applicable PayPal or Braintree privacy policy in Merchant’s privacy policy.

5. Mutual Assistance

The parties agree to co-operate with each other to the extent reasonably necessary to enable the other party to adequately discharge their responsibility as an independent Controller under Data Protection Laws. The parties agree that to the extent Merchant receives a subject access request or any exercise by a Customer of its rights under Data Protection Laws, Merchant shall respond to such Customer’s access request directly. Merchant also shall inform the Customer that they may exercise their data subject rights in connection with the Payment Services with PayPal according to the instructions described in the Privacy Statement available at www.braintreepayments.com for a Braintree customer and www.paypal.com for a PayPal customer. In addition, if in connection with any Security Incident, PayPal determines in its sole discretion that it must notify affected Customers and PayPal does not have the necessary contact information about an affected Customer to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about Customers that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Customers under Data Protection Laws.

6. Cross Border Data Transfers

We each agree that PayPal may transfer Customer Data Processed under the Agreement outside the country where it was collected as necessary to provide the Payment Services. If PayPal transfers Customer Data protected under Part B of this Addendum to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, PayPal will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with the applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, PayPal relies on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Customer Data to other members of the PayPal Group.

With respect to your data transfers to PayPal of its Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, the parties each agree that (i) your signing of the Agreement will be deemed to be signature and acceptance of the Controller to Controller Standard Contractual Clauses approved by EC Commission Decision of 27 December 2004 (C(2004)5721) ("C2C Transfer Clauses") by Merchant, as the data exporter and (ii) PayPal’s signature of this Agreement will be deemed to be signature and acceptance of the C2C Transfer Clauses by PayPal, as the data importer. In the event the European Commission revises and thereafter publishes new C2C Transfer Clauses or as otherwise required or implemented by the European Commission, the parties agree that such new C2C Transfer Clauses will supersede the present C2C Transfer Clauses. The C2C Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:

  • PayPal agrees it will process the Customer Data in accordance with Set II, clauses II(h)(iii) of the C2C Transfer Clauses and by signing the Agreement it will be deemed to duly initial and accept such clause II(h)(iii); and

  • The parties agree that the details required under the C2C transfer Clauses Annex B are as set forth on Attachment 1.

Attachment 1

C2C Transfer Clauses Annex B

Data subjects

The Personal Data transferred concern the following categories of data subjects:

The data exporter and its Customers.

Purposes of the transfer(s)

The transfer is made for the following purposes:

Performance of the services provided by data importer to data exporter in accordance with the Agreement.

Categories of data

The Personal data transferred may include the following categories of data:

Customer name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by PayPal under the Agreement.

Recipients

The personal data transferred may be disclosed only to the following recipients:

The importer’s service providers, affiliates, and personnel performing services in accordance with the Agreement.

Sensitive data (if appropriate)

The personal data transferred concern the following categories of sensitive data:

Not applicable, unless Merchant configures the service to capture such data.

Data protection registration information of data exporter (where applicable)

Not applicable.

Additional useful information (storage limits and other relevant information)

As set forth in the Agreement.

Contact points for data protection enquiries

Data importer: Contact points for Data importer can be found in the Agreement.

Data exporter: Contact points for Data importer can be found in the Agreement.