Data Protection Terms

1. Definitions


1.1. In these Data Protection Terms, the following expressions (whether used in plural or singular form) have the following meanings, unless otherwise specified or the context otherwise requires:.

“Approved Sub-Contractors List” means the sub-contractors specified, at the relevant time, in the list set out at ConnexPay Subcontractors;

“Controller” has the meaning set out in the UK GDPR;

“Data Protection Laws” means the UK GDPR, the Data Protection Act 2018 and any amendments thereto from time to time (in each case, as applicable to a Party) and all other Applicable Laws relating to data privacy, protection and security and electronic communications;

“Data Regulator” means the Information Commissioner’s Office (or any successor body which has regulatory authority for the purposes of the Data Protection Laws) or, where applicable, any other supervisory authority for the purposes of the Data Protection Laws;

“Data Subject” has the meaning set out in the UK GDPR;

“Personal Data” has the meaning set out in the UK GDPR;

“Processing” has the meaning set out in the UK GDPR (and “Process”, “Processes” and “Processed” shall be construed accordingly);

“Processor” has the meaning set out in the UK GDPR;

“Relevant Data Subject” means a Data Subject in respect of Relevant Personal Data;

“Relevant Personal Data” has the meaning set out in clause 2.2.1; and

“UK GDPR” has the meaning given in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419.

1.2. Without prejudice to any provision of the General Conditions, terms used in these Data Protection Terms which are defined in the General Conditions shall have the meanings so given to them.

2. General

2.1. It is acknowledged and agreed that ConnexPay will be a Controller in relation Personal Data which is gathered and used where ConnexPay determines the manner and purpose of the Processing, including for the purposes of:

2.1.1. Assessing the risk associated with providing services to clients, including but not limited to, financial and fraud-based risk analysis, and applying risk mitigation strategies;

2.1.2. regulatory compliance activity including anti-money laundering, financial crime compliance and identity screening; and

2.1.3. ConnexPay’s compliance with any Applicable Laws.

2.2. It is acknowledged and agreed that:

2.2.1. Subject to Clauses 2.1 above and Clause 6 below, Client will be a Processor of such of the Client data that comprises Personal Data where Client is responsible for determining the manner and purposes of the Processing of such Personal Data including but not limited to for the purposes of: providing services to Client including, risk management (i.e. including fraud monitoring, prevention, detection and prosecution, as well as authentication and authorisation management).

2.2.2. ConnexPay will be the Processor of the Relevant Personal Data, in respect of its activities in providing the Services to Client under the Agreement (subject to Clauses 2.1 above and Clause 6 below).

2.3. Client consents to ConnexPay (and its permitted sub-contractors in accordance with clause 5) transferring and otherwise Processing the Relevant Personal Data outside of the United Kingdom (subject to clause 4.1.6).

2.4. For the purposes of the Agreement, the Parties agree that the scope of the Processing of Relevant Personal Data carried out by ConnexPay as a Processor is as follows:

2.4.1. scope, nature and purpose of Processing: Processing by ConnexPay for the purposes of providing the Services;

2.4.2. duration: for the Term and thereafter as necessary in connection with the provision of the Services (including for the purposes of any processing after termination of the Agreement to wind down Services; and

2.4.3. types of Personal Data and categories of Data Subjects: Personal Data relating to a transaction (such as name, email address, phone number and physical address); and contact details in respect of Client’s employees.

3. Client Obligations

3.1. Client shall ensure that:

3.1.1. it has complied with and shall comply at all times with the Data Protection Laws (and all other Applicable Laws) in respect of its Processing of Transaction Personal Data;

3.1.2. without prejudice to the generality of clause 3.1.1, it: has provided all necessary fair processing notices to the Relevant Data Subjects; has implemented all necessary measures to ensure that Relevant Data Subjects can exercise their rights under the Data Protection Laws; is authorised to transfer Relevant Personal Data to ConnexPay and that such transfer complies with Data Protection Laws; and is authorised to allow ConnexPay to Process the Relevant Personal Data for the purposes of providing the Services under the Agreement; where required by the Data Protection Laws, it has obtained all necessary consents in order to: disclose Relevant Personal Data to ConnexPay; and allow ConnexPay to Process the Relevant Personal Data for the purposes of providing the Services under the Agreement including through its Approved Sub-Contractors; and

3.1.3. it provides clear written instructions, in addition to the terms of the Agreement, relating to the Processing of the Relevant Personal Data by ConnexPay which (without prejudice to clause 4.1.2) comply with Data Protection Laws.

4. ConnexPay Obligations

4.1. In respect of its Processing of Relevant Personal Data, ConnexPay shall:

4.1.1. Process the Relevant Personal Data only for the purposes of providing the Services in accordance with the terms of the Agreement and any written instructions from Client from time to time (unless otherwise required to Process the Relevant Personal Data by Data Protection Laws or any other Applicable Laws, subject to clause 4.1.2);

4.1.2. unless prohibited by Data Protection Laws or any other Applicable Laws on important grounds of public interest, notify Client (and prior to undertaking the applicable Processing) if: ConnexPay is required by the Data Protection Laws or any other Applicable Laws to act other than in accordance with the instructions of Client with regard to any Processing of Relevant Personal Data; and/or ConnexPay considers, in its opinion, that any of Client’s instructions with regard to any Processing of Client infringe the Data Protection Laws or any other Applicable Laws;

4.1.3. ensure that ConnexPay’s personnel who are authorised to Process the Relevant Personal Data have committed themselves to confidentiality;

4.1.4. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Relevant Data Subjects, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of such Processing, including (as appropriate) the measures and risks referred to in Article 32 of the UK GDPR;

4.1.5. taking into account the nature of the Processing, assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client’s obligations to respond to requests from Relevant Data Subjects for exercising their rights under Data Protection Laws;

4.1.6. ensure that any transfer of Relevant Personal Data out of the United Kingdom, shall comply with the requirements of the Data Protection Laws, including (as applicable): the transferee entering into a data export agreement with ConnexPay in the form of standard and/or model clauses (which are approved by the Data Regulator and/or the European Commission, as applicable, as offering adequate safeguards under the Data Protection Laws); or equivalent protections being in place, or as otherwise allowed or required under the Data Protection Laws;

4.1.7. taking into account the nature of the Processing of the Relevant Personal Data and the information available to ConnexPay, assist Client in ensuring compliance with the obligations under Data Protection Laws in relation to security of Processing of the Relevant Personal Data, the notification of any breach of Relevant Personal Data to the Data Regulator and Relevant Data Subjects where applicable (including but not limited to by notifying Client without delay of any suspected compromise to any systems containing Relevant Personal Data which has resulted or is likely to result in unauthorized access to or loss of Relevant Personal Data) , the carrying out of data protection impact assessments where required and where applicable any associated consultations with the Data Regulator;

4.1.8. make available to Client all information reasonably necessary to demonstrate compliance with ConnexPay’s obligations in these Data Protection Terms; and

4.1.9. (upon reasonable prior notice) allow for and contribute to audits, including inspections, conducted by Client (or another auditor mandated by Client) in respect of the Processing of the Relevant Personal Data.

4.2. After the expiry of the provision of the relevant Service to which the Processing of any Relevant Personal Data relates, ConnexPay shall:

4.2.1. delete all Relevant Personal Data or (at the choice of Client) return the Relevant Personal Data to Client; and

4.2.2. delete any existing copies of such Relevant Personal Data unless Applicable Laws require storage of such Relevant Personal Data.

5. Sub-contractors

5.1. ConnexPay shall not, without the prior written consent of Client appoint or permit any sub-contractor to Process any Relevant Personal Data (and then subject always to clause 5.6).

5.2. For the purposes of clause 5.1, Client hereby consents to the sub-Processing of Relevant Personal Data by all sub-contractors set out in the Approved Sub-Contractors List as at the Commencement Date.

5.3. ConnexPay shall notify Client of any intended changes concerning the addition or replacement of sub-contractors on the Approved Sub-Contractors List.

5.4. If Client does not give written notice to ConnexPay objecting to any changes notified by ConnexPay pursuant to clause 5.3 within 14 (fourteen) days of such notice, Client shall be deemed to have given written consent to the appointment of the relevant additional or replacement sub-contractors.

5.5. If Client, in accordance with clause 5.4, objects to any changes notified by ConnexPay pursuant to clause 5.3:

5.5.1. such objection shall not affect ConnexPay’s right to continue to use all relevant sub-contractors previously engaged by ConnexPay; and

5.5.2. ConnexPay may at any time thereafter, at its sole option and without any liability to Client, terminate the Agreement immediately, in its entirety or in respect of one or more of the Services, or immediately suspend the provision of any one or more the Services (including suspension of access to all or any portion of the Service Platform).

5.6. Where Client consents to the appointment of a sub-contractor for the purposes of clause 5.1 (including deemed consent pursuant to clause 5.4), ConnexPay shall, prior to such sub-contractor undertaking any Processing of Relevant Personal Data, put in place a written contract with the sub-contractor which contains terms which are no less onerous than the provisions of clause 4 and this clause 5 relating to such Processing and which otherwise meets the requirements of the Data Protection Laws.

6. Data Sharing

6.1. In order to provide the Services under the Agreement, ConnexPay as a Controller, may use and share information (including, as applicable, the transaction personal data and other information about transactions, Services and other Personal Data Processed under the Agreement) with certain third parties, including ConnexPay Group Members, Card Schemes, credit reference agencies and providers of AML, ID and fraud checks and transaction monitoring tools, to help ConnexPay and/or them:

6.1.1. assess financial and insurance risks;

6.1.2. recover debt;

6.1.3. develop customer relationships, services and systems; and

6.1.4. prevent and detect crime.

6.2. Subject to clause 6.1 (and without prejudice to clauses 4 and 5 in respect of any Relevant Personal Data), ConnexPay does not and shall not disclose Client’s information to anyone other than as expressly provided in the Agreement except:

6.2.1. with Client’s specific permission;

6.2.2. where required or permitted to do so by any Applicable Laws (including statutory or regulatory reporting obligations);

6.2.3. to any Approved Sub-Contractor, or any other person who or which provides a service to Client relating to the Services; or

6.2.4. where ConnexPay may otherwise assign, sub-Agreement or transfer its rights and obligations under the Agreement.