UNNAX PAYMENT SYSTEMS, S.L.U. DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA” or “Addendum“) forms part of the main agreement (“Principal Agreement“) entered into between (i) Company or Client acting on its own behalf and as agent for each Company Affiliate; and (ii) UNNAX PAYMENT SYSTEMS, S.L.U. (“UNNAX“) acting on its own behalf and as agent for each UNNAX Affiliate.
UNNAX enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of any authorized Subprocessor.
In the course of providing the Services to Client by UNNAX pursuant to the Principal Agreement, UNNAX may process Personal Data on behalf of Client and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
1.1. The present Addendum regulates the terms and conditions that will apply to the treatment of Personal Data that UNNAX may have access by virtue of the Services.
1.2. For the purposes of the present Addendum, terms shall have the meanings set out in Annex 1.2.
2. PROCESSING OBJECTIVES
2.1. UNNAX undertakes to process personal data on behalf of the Company in accordance with the conditions laid down in this DPA. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
2.2. UNNAX shall refrain from making use of the personal data for any purpose other than as specified by the Company. The Company will inform UNNAX of any such purposes which are not contemplated in this DPA.
2.3. All personal data processed on behalf of the Company shall remain the property of the Company and/or the relevant Data subjects.
2.4. UNNAX shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.
2.5. Annex 2.5 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Company Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Company may make reasonable amendments to Annex 2.5 by written notice to UNNAX from time to time as Company reasonably considers necessary to meet those requirements. Nothing in Annex 2.5 confers any right or imposes any obligation on any party to this Addendum.
3. UNNAX’S OBLIGATIONS
3.1 UNNAX shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data.
3.2 UNNAX shall furnish the Company promptly on request with details regarding the measures it has adopted to comply with its obligations under this Addendum.
3.3 UNNAX’s obligations arising under the terms of this Addendum apply also to whomsoever processes Company Personal Data under UNNAX’s instructions.
4. UNNAX AND UNNAX AFFILIATE PERSONNEL
4.1 UNNAX and each UNNAX Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, UNNAX and each UNNAX Affiliate shall implement appropriate technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data. At a minimum, such measures shall include the security measures identified Annex 5.1
5.2. In assessing the appropriate level of security, UNNAX and each UNNAX Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
6.1. Company acknowledges and agrees that UNNAX shall use Subprocessors (including UNNAX Affiliates) as set out in the then-current Subprocessor list available at [https://www.unnax.com/es/subprocessor] to provide the Services.
6.2. UNNAX shall enter into a written agreement with each such Subprocessor that imposes obligations on the Subprocessor that are substantially similar to those imposed on UNNAX under this Addendum. UNNAX shall only retain Subprocessors that UNNAX can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Data.
7. DATA SUBJECT RIGHTS
7.1. Taking into account the nature of the Processing, UNNAX and each UNNAX Affiliate shall assist each Company Group Member by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company Group Members’ obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
7.2. UNNAX shall:
7.2.1. Promptly notify Company if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data.
7.2.2. Ensure that the Contracted Processor does not respond to that request except on the documented instructions of Company or the relevant Company Affiliate or as required by Applicable Laws to which the Contracted Processor is subject, in which case UNNAX shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
8. PERSONAL DATA BREACH
8.1. UNNAX shall notify Company without undue delay upon UNNAX or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow each Company Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2. UNNAX shall co-operate with Company and each Company Group Member and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. UNNAX ASSISTANCE
9.1. UNNAX will assist the Company in ensuring compliance with its obligations pursuant to articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to UNNAX
10. DELETION OR RETURN OF COMPANY PERSONAL DATA
10.1 Upon termination or expiry of the Agreement, UNNAX shall (at Company’s election) destroy or return to Company all Company Personal Data (including all copies of the Data) in its possession or control (including any data subcontracted to a third party for processing). This requirement shall not apply to the extent that UNNAX is required by any applicable law to retain some or all of the Data, in which event UNNAX shall isolate and protect the Data from any further processing except to the extent required by such law.
10.2. Upon request by Company, UNNAX shall provide a written certification that it has complied with the requirements of this Section signed by an officer of UNNAX.
11. COMPLIANCE DEMONSTRATION
11.1. UNNAX shall make available to the Company the information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR and, if needed, allow to audits conducted by the Company that is not a competitor of UNNAX.
12. RESTRICTED TRANSFERS
12.1. Each Company Group Member (as “data exporter”) and each Contracted Processor, as appropriate, (as “data importer”) will enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Company Group Member to that Contracted Processor.
12.2. The Standard Contractual Clauses shall come into effect on the later of:
12.2.1. The data exporter becoming a party to them.
12.2.2. The data importer becoming a party to them.
12.2.3. Commencement of the relevant Restricted Transfer.
12.3. Section 12.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
12.4. UNNAX warrants and represents that, before the commencement of any Restricted Transfer to a Subprocessor which is not a UNNAX Affiliate, UNNAX’s or the relevant UNNAX Affiliate’s entry into the Standard Contractual Clauses, and agreement to variations to those Standard Contractual Clauses, as agent for and on behalf of that Subprocessor will have been duly and effectively authorized (or subsequently ratified) by that Subprocessor.
13. GENERAL TERMS
13.1 Governing law and jurisdiction
13.1.1. The Addendum and the implementation thereof will be governed by Spanish law.
13.1.2. Any dispute which may arise in connection with and/or arising from this Addendum shall be governed by the courts of the City of Barcelona (Spain).
13.2. Order of precedence
13.2.1. Nothing in this Addendum reduces UNNAX’s or any UNNAX Affiliate’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits UNNAX or any UNNAX Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.2.2. Subject to section 13.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
13.3.1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.
ANNEX 1.2: DEFINITIONS
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1. “Applicable Laws” means (a) European Union or Member State laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Company Personal Data in respect of which any Company Group Member is subject to any other Data Protection Laws;
2. “Company Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
3. “Company Group Member” means Company or any Company Affiliate;
4. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of a Company Group Member pursuant to or in connection with the Principal Agreement;
5. “Contracted Processor” means UNNAX or a Subprocessor;
6. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
7. “EEA” means the European Economic Area;
8. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
9. “GDPR” means EU General Data Protection Regulation 2016/679;
10. “Restricted Transfer“ means:
(i) a transfer of Company Personal Data from any Company Group Member to a Contracted Processor; or
(ii) an onward transfer of Company Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor
In each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of (i) the Standard Contractual Clauses, or (ii) a self-certification to the Privacy Shield (to be maintained for so long as UNNAX processes the Company Personal Data), assuming that the scope of such self-certification covers all Company Personal Data that UNNAX processes under the Agreement and this Addendum, and UNNAX agrees to comply with the Privacy Shield Principles when processing any such Company Personal Data.
11. “Services” means the services and other activities to be supplied to or carried out by or on behalf of UNNAX for Company Group Members pursuant to the Principal Agreement;
12. “Standard Contractual Clauses” means the standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with art. 28.7 and 28.8 of the GDPR;
13. “Subprocessor” means any person (including any third party and any UNNAX Affiliate, but excluding an employee of UNNAX or any of its sub-contractors) appointed by or on behalf of UNNAX or any UNNAX Affiliate to Process Personal Data on behalf of any Company Group Member in connection with the Principal Agreement; and
14. “UNNAX Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with UNNAX, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
ANNEX 2.5: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 2.5 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing of the Company Personal Data are set out in the Principal Agreement and this Addendum.
The nature and purpose of the Processing of Company Personal Data
Providing the Services to Client by UNNAX pursuant to the Principal Agreement.
The types of Company Personal Data to be Processed
Personal email address
Date of birth
Credit card number
Debit card number
Other financial statements
The categories of Data Subject to whom the Company Personal Data relates
Online banking user
The obligations and rights of Company and Company Affiliates
The obligations and rights of Company and Company Affiliates are set out in the Principal Agreement and this Addendum.
DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES TO BE IMPLEMENTED BY THE VENDOR
1. Information Security Program (ISP)
Vendor will maintain an ISP designed to (a) help Client secure Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Vendor Network (defined below), and (c) minimize security risks, including through risk assessment and regular testing. Vendor will appoint an employee to be accountable for the ISP.
The ISP will include the following measures:
1.1. Network Security
The Vendor Network will be accessible to employees, contractors and any other person as required to provide the data processing services. Vendor will maintain access controls and policies to manage access to the Vendor Network from each network connection and user, including the use of authentication controls, firewalls or Intrusion Detection systems. Vendor will maintain security incident response plans to handle potential security incidents.
1.2. Physical Security
Physical components of the Vendor Network are housed in facilities (“Facilities”) controlled by an ISO 27001 certified company (i.e. Amazon Web Services) or in Facilities which meet or exceed all of the following physical security requirements:
(i) Physical Access Controls. Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
(ii) Limited Employee and Contractor Access. Vendor provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Vendor or its affiliates.
(iii) Physical Security Protections. All access points (except for main entry doors) are maintained in a locked state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Vendor also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
1.3. Personal Data Security. Controls for the Protection of Personal Data.
Vendor will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Vendor regularly monitors compliance with these measures. Vendor will not materially decrease the overall security of the data processing services during a subscription term
1.4. Business Continuity and Disaster Recovery
Vendor will maintain a Business Continuity and Disaster Recovery plan based on risk. Recovery plan are tested at least annually to guarantee that full recovery us possible to meet expected SLA’s.
1.5. Employee security
Vendor will have signed confidentiality agreements with the employees and contractors. For positions with access to personal information, backgrounds checks are also performed. Also, all employees and contractors will have a common way to report incidents approved by the organization and they will undergo at least an annual security awareness training.
2. Ongoing Evaluation
Vendor must reassess and update their security policies on a periodic basis. Changes must be documented and employ change controls.