1. Definitions
1.1. Personal data – any information about a natural person who was identified or who can be identified (data subject) as defined in paragraph 1 of Article 4 of the GDPR.
1.2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.3. Data processing – actions performed with the Personal data as defined in paragraph 2 of Article 4 of the GDPR.
1.4. Data processor – a person who processes personal data on behalf of a data controller as defined in paragraph 8 of Article 4 of the GDPR.
1.5. Data controller – a person who determines the purposes and means of processing of data as defined in paragraph 7 of Article 4 of the GDPR.
1.6.Merchant – a client of the Paysera system who sells goods and services and uses one or more services of online payment processing and/or online payment processing by payment cards and/or payment processing via the operators indicated in the system and provided by Paysera for Merchants.
1.7. Buyer – the payer and/or the final recipient of services provided and goods sold by the Merchant using the System for the collection of payments.
1.8. System – a software solution on Paysera web pages, developed by Paysera and used for provision of Paysera services.
2. General provisions
2.1. The Personal Data Processing Agreement (hereinafter – the Agreement) regulates the process of the Personal data processing of the Buyer, mutual obligations and liability between the Merchant and Paysera. The aim of the present agreement is to ensure the protection and security of the Personal data of the Buyer, for the processing of which the Merchant uses Paysera, in accordance with applicable legislation.
2.2. The Agreement excludes the Personal data processed by Paysera who acts as the Data controller on the basis of GDPR Article(6) (1) (c) as the electronic money institution providing payment services. The processing of this Personal data is regulated by the Paysera Privacy policy.
2.3. The Agreement is an annexe to the General Payment Services Agreement and is an integral part of annexes to the agreement that are applied to the Merchant when using the services of online payment processing from buyers, online payment processing by payment cards, and payment processing via the operators provided in accordance to provisions of annexes to the General Payment Services Agreement. The Agreement comes into force automatically when the Merchant starts using the services of online payment processing and/or online payment processing by payment cards, and/or payment processing via operators.
2.4. The Merchant as the Data controller uses Paysera as the Data processor for processing the Personal data of Buyers.
2.5. Paysera as the Data processor processes the Personal data of Buyers on behalf of the Merchant on the basis of the present Agreement.
2.6. Contact details of the data protection officer appointed by Paysera: dpo@paysera.com.
3. Personal data processing conditions
3.1. The Merchant, by using mutual technical integration in the Paysera System, determines which Personal data requests will be submitted to the Buyer, i.e. which Personal data of the Buyer will be collected.
3.2. Paysera, by taking into account the Personal data requests enabled by the Merchant in the Paysera system, processes the Personal data of the Buyer on behalf of the Merchant.
3.3. The Merchant may appoint Paysera to process the Personal data of the Buyer of these categories:
3.3.1. name;
3.3.2. surname;
3.3.3. personal code;
3.3.4. email address;
3.3.5. address (country, state, city, street, house number, apartment number);
3.3.6. language;
3.3.7. IP address;
3.3.8. bank account number;
3.3.9. payment purpose information;
3.3.10. phone number.
3.4. The Merchant appoints Paysera to perform the collection of the Personal data of the Buyer, transferring it to the Merchant and storing it.
3.5. Paysera stores the Personal data for 10 (ten) years from the date of receipt of the Personal data, in case of the Recurring payment service – for 10 (ten) years after the date of the last recurring payment. Upon the expiry of the storage period, Paysera destroys records of the Personal data.
4. Liabilities of the Parties
4.1. The Merchant (Data controller) under the present Agreement undertakes:
4.1.1. to ensure that Personal data processing is based on legal purposes and grounds, and, if applicable, that the appropriate request of the Buyer is received regarding the processing of personal data;
4.1.2. to process Personal data in accordance with principles related to Personal data processing determined in Article 5 of the GDPR and requirements of legal acts;
4.1.3. to create appropriate conditions for the Buyer to implement all rights of the data subject and to directly respond to requests of the Buyer regarding the implementation of the data subject’s rights specified in chapter 3 of the GDPR;
4.1.4. to approve internal data processing rules where the following must be indicated:
4.1.4.1. when it is required according to applicable legal acts, name and surname (legal name) and contact details of the representative of the data processor and data protection officer;
4.1.4.2. categories of the performed data processing;
4.1.4.3. if applicable, transfers of personal data to a third country or international organisation by also specifying that third country or international organisation, documents of appropriate means of protection;
4.1.4.4. description of technical and organisational means of security.
4.2. Paysera (Data processor) under the present Agreement undertakes:
4.2.1. to process the Personal data of Buyers only within the scope and for purposes determined by the Merchant;
4.2.2. not to modify, edit, or amend the Personal data, not to disclose and prevent disclosure of the Personal data to any third person, unless it is required for the proper performance of contractual obligations with the Merchant;
4.2.3. to implement appropriate technical and organisational means to ensure a security level corresponding to the threat;
4.2.4. according to the scope of processed Personal data of the Buyer, assist the Merchant as the Data controller to respond to requests of the data subject regarding the implementation of the data subject’s rights specified in chapter 3 of the GDPR;
4.2.5. in case of a Personal data breach, notify the Merchant immediately so that they could fulfil the duty of the Personal data controller and report the Personal data breach in accordance with legal acts regulating the protection of data;
4.2.6. take appropriate measures to ensure the reliability of any employee, intermediary or contractor, sub-processor or other third person who has access to the Personal data, and that in every case this access would be restricted and provided to those persons to whom it is necessary by also ensuring that confidentiality agreements are concluded with these persons or that they are subject to a confidentiality obligation.
5. Personal data sub-processing
5.1. The Merchant agrees that Paysera without a separate prior agreement uses other processors (sub-processors) for the Personal data processing or can deliver this data to the third parties if such operation corresponds with the provisions of the Agreement.
5.2. Paysera, when transferring the Personal data to the third parties and using sub-processors undertakes to conclude the Personal Data Processing Agreement ensuring standards equivalent to the Personal data protection standards established in the present Agreement.
5.3. Upon the Buyer’s request, Paysera undertakes to provide a relevant list of Personal data sub-processors.
6. Personal data transfer to third countries
6.1. The Merchant agrees that Paysera without a prior consent delivers Personal data to subjects outside the European Union or the European Economic Area if such transfer corresponds to the provisions of the Agreement.
6.2. Paysera when transferring the Personal data to subjects outside the European Union or the European Economic Area undertakes to conclude the Personal data processing agreements corresponding to GDPR requirements for such agreements and ensuring equivalent Personal data protection standards established in the present Agreement.
6.3. Upon the Merchant’s request, Paysera undertakes to provide a relevant list of recipients of Personal data outside the European Union or the European Economic Area to whom Personal data of Buyers is transferred.
7. End of personal data processing
7.1. Upon the ending of the Personal data processing established in clause 3.5 of the Agreement, Paysera undertakes to delete all Personal data stored and all its possible copies.
8. Other conditions
8.1. The Parties agree that, when performing this Agreement, information received from another party to the Agreement is confidential. During the validity of the Agreement and at the end of the Agreement neither of the parties without the prior written consent of the other party shall have a right to disclose such information to any other third person, except for mandatory cases when such information has to be disclosed according to the laws of the Republic of Lithuania. Obligations of parties regarding non-disclosure of information shall be of unlimited duration. The party who has breached the obligation to store confidential information and not to disclose it must reimburse all the losses to the other party.
8.2. All disputes arising from this Agreement are solved by negotiation, and in case of failure, disputes are resolved according to the procedure established in the laws of the Republic of Lithuania.
8.3. In case discrepancies between conditions of this Agreement and other agreements regulating the protection of personal data concluded between these parties, the following provisions of the present Agreement will apply.
9. Validity term, amendments
9.1. The Agreement comes into effect when the Merchant starts using online payment processing, and/or online payment processing by payment cards, and/or Payment processing through operators and is valid while the Merchant is using these services.
9.2. The Agreement is an integral part of the General Payment Services Agreement and can be modified according to the procedure provided therein.