Supplemental Terms - (General Data Protection Regulation (GDPR))
These Supplemental Terms - General Data Protection Regulation (GDPR) are to be read together with Verifone’s Standard Terms and Conditions.
If any Product or Service provided to you by Verifone involves Verifone "processing" any "personal data" falling within the scope of the GDPR (as defined below) on your behalf, including cardholder data (“Merchant Data”), then these Supplemental Terms - General Data Protection Regulation (GDPR) shall apply and the parties hereby record their intention that you shall be the "data controller" and Verifone or a Verifone Affiliate providing the relevant Product or Service in the applicable Covered Territory shall be the "data processor".
1. In these Supplemental Terms - General Data Protection Regulation (GDPR), each of the terms “data controller”, “data processor”, “personal data” and “processing” have the respective meaning ascribed to it in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
2. If any Product or Service provided to you by Verifone involves Verifone processing any personal data falling within the scope of the GDPR on your behalf, including Merchant Data, the parties agree as follows:
(a) you shall ensure that you are entitled to transfer the relevant personal data to Verifone or the relevant Verifone Affiliate so that Verifone or such Verifone Affiliate may lawfully use, process and transfer the personal data on your behalf in accordance with applicable law and these Terms and Conditions that may be executed between you and Verifone or the relevant Verifone Affiliate.
(b) Notwithstanding anything contained herein, you understand and acknowledge that you are solely responsible for implementing and maintaining appropriate security measures for all systems within your control.
(c) you represent and warrant that by transferring or providing personal data to Verifone and by allowing Verifone to process personal data for the purposes of these Terms and Conditions, you will not be in breach, and will not cause Verifone or any Verifone Affiliate to be in breach, of the GDPR or any other applicable data protection laws.
(d) Verifone or the relevant Verifone Affiliate shall only process the personal data in accordance with your lawful and documented instructions, including as set out in these Terms and Conditions and any other agreement that may be executed between you and Verifone or the relevant Verifone Affiliate, unless otherwise required by applicable law. In such case, Verifone shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. If Verifone considers that an instruction infringes the GDPR or any other provision of European Union law or Member States laws and regulations relating to data protection, it shall immediately notify you in writing.
(e) Verifone or the relevant Verifone Affiliate shall take appropriate technical and organizational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (a “Security Incident”).
(f) Upon becoming aware of a Security Incident affecting personal data processed on your behalf, Verifone shall notify you without undue delay and shall provide commercially reasonable cooperation as you may require to fulfil any data breach reporting obligations you may have under the GDPR. Verifone shall further take such reasonably necessary measures or actions to remedy or mitigate the effects of the Security Incident and shall keep you informed of all material developments in connection with the Security Incident.
(g) In the event of a Security Incident, Verifone will (i) investigate the Security Incident, (ii) provide you with a remediation plan to address the Security Incident and to mitigate the incident and reasonably prevent any further incidents, (iii) remediate the effects of the Security Incident in accordance with such remediation plan, and (iv) reasonably cooperate with you (including, but not limited to, providing audit logs) and any law enforcement or regulatory official investigating such Security Incident.
(h) you agree that Verifone or the relevant Verifone Affiliate may subcontract the processing of the personal data to Verifone Affiliates and unaffiliated third-party sub-processors (“Sub-processors”) to process personal data under these Terms and Conditions. Additional information on Verifone Affiliates and sub-Processors is available at www.verifone.com/en/us/general-data-protection-regulation-gdpr. Notwithstanding your consent to the Sub-processors, Verifone shall provide reasonable notice to you of the engagement of any new Sub-processor and, if you object in writing to the new Sub-processor on reasonable grounds relating to data protection within fifteen (15) calendar days of receiving such notice, then Verifone shall either not engage that Sub-processor to process the personal data under these Terms and Conditions or will discuss such concerns in good faith with you with a view to achieving resolution in accordance with the dispute resolution procedures of these Terms and Conditions. If resolution cannot be reached, you may suspend or terminate the affected processing operations (without prejudice to any fees or charges incurred by you prior to the suspension or termination).
(i) Notwithstanding the foregoing Section(2)(h) above, Verifone’s contract with any Sub-processor shall require the Sub-processor to protect the personal data to the standards required by applicable data protection laws. Verifone shall remain responsible for any breach of these Supplemental Terms - General Data Protection Regulation (GDPR) caused by a Sub-processor to the same extent it is liable under these Terms and Conditions.
(j) With respect to any applicable Territory within the European Economic Area (“EEA”) and the UK (an EEA/UK Territory), you acknowledge that Verifone’s performance of its obligations under these Terms and Conditions may involve the transfer of Merchant Data outside of that applicable Territory, including to portions of Verifone’s Cloud Services Environment located outside of the EEA and/or outside the UK. Verifone shall not process (or cause to be processed) any Merchant Data originating from an EEA/UK Territory in a country that has not been designated by the European Commission (or, in the case of Merchant Data originating from the UK after the Brexit transition period, the competent UK authority) as providing an adequate level of data protection unless it has put in place such measures (including appropriate safeguards) as are necessary to ensure such transfer is in compliance with the EEA (“GDPR”) and UK data protection laws, except where otherwise required by applicable law. You authorize transfers of Merchant Data to Verifone Affiliates and sub-processors located in such destinations outside of the EEA and the UK subject to such appropriate safeguards having been put in place. Additional information on Verifone Affiliates is available here: www.verifone.com/en/us/general-data-protection-regulation-gdpr.
(k) From time to time, you may need to respond to a request from a data subject seeking to exercise its rights under the GDPR. In such an instance, Verifone, if requested by you and insofar as it is commercially reasonable, shall provide assistance to you as reasonably necessary to enable you to respond to such request in compliance with PCI-DSS standards. In the event such a request is made directly to Verifone, Verifone shall promptly inform you of the same.
(l) To the extent that, with respect to personal data processed or to be processed by Verifone under these Terms and Conditions, you are obligated to carry out data protection impact assessments and prior consultations with supervisory authorities as required under the GDPR, Verifone shall, at your cost and taking into account the nature of the processing and the information available to Verifone, provide reasonable assistance to you as needed.
(m) Verifone shall maintain adequate documentation verifying its compliance with these Supplemental Terms - General Data Protection Regulation (GDPR). You acknowledge that Verifone’s Cloud Services Environment is regularly audited against Payment Card Industry Data Security Standards (“PCI-DSS”) by independent, third-party auditors and, upon request, Verifone shall provide a copy of its most recent Attestation of Compliance (AOC) to you. Further, Verifone shall provide you with written responses or documentation (at reasonable intervals and on a confidential basis) to reasonable requests for information that are necessary to confirm Verifone’s compliance with these Supplemental Terms - General Data Protection Regulation (GDPR).
(n) Verifone shall ensure that any personnel that it authorizes to process the personal data shall be subject to a duty of confidentiality.
(o) Upon expiry or termination of these Terms and Conditions, Verifone shall delete or return to you the personal data (including copies) in Verifone’s possession in accordance with these Terms and Conditions and PCI-DSS standards. This requirement shall not apply to the extent that Verifone is required by applicable law or PCI-DSS standards to retain some or all of the personal data or to personal data archived on backup systems.
3. A description of the nature and purposes of the processing, the types of personal data, categories of data subjects and the duration of the processing that Verifone or Verifone Affiliate may carry out on your behalf are set out further below:
(a) Nature and purposes of the processing: The processing of personal data carried out are those necessary to enable Verifone to provide any Product or Service under these Terms and Conditions;
(b) Types of personal data processed: In providing any Product or Service pursuant to these Terms and Conditions and any additional instructions provided by you, the types of personal data collected and processed may include:
• you and your end user and cardholder’s identification data (e.g., name, email, etc.),
• payment information (e.g., credit card number, expiry date, CVV, etc.),
• payment device and connectivity information (e.g., UID, IP addresses, etc.)
• transaction data (e.g., order reference, transaction time, amount, authorization) and
• similar data directly related to the processing of personal data on your behalf;
(c) Categories of data subjects: The personal data to be processed on your behalf may include, but is not limited to, the following categories of data subjects: your and your end users and shoppers (e.g., cardholder, payer, consumer); and your employees, agents, consultants, service providers, and, if applicable, vendors.
(d) Duration of processing: The personal data will be processed for the duration of these Term and Conditions unless otherwise agreed between the Parties or required by applicable law or regulation.
4. Information regarding the processing of personal data carried out by Verifone as Data Controller. Verifone processes your personal data, acting as data controller, and especially those relating to your employees (in particular identification data), for the purposes of managing the business relationship (invoicing, order process, etc.), complying with legal obligations, security and business continuity, optimization of the services and management/creation of access accounts. Further, notwithstanding anything to the contrary herein, Verifone may process personal data relating to your customer data subjects, acting as data controller, for security and fraud screening purposes. These processing are carried out for the performance of these Terms and Conditions and/or are based on Verifone’s legitimate interest. These personal data are necessary to enable Verifone to fulfil its obligations under these Terms and Conditions. If you do not provide to Verifone the personal data, Verifone will not be able to fulfil its obligations under these Terms and Conditions. These personal data may be disclosed to Verifone’s internal services, Affiliates and Verifone’s Data Processor(s). In addition, the personal data may be transferred outside the EEA and/or the UK, in particular to the United States, to Verifone Affiliates and data processors on the basis of the Standard Contractual Clauses executed with those parties. These personal data will be retained for the duration of these Terms and Conditions and longer, if necessary to fulfil the purposes for which they are collected or to exercise, established or defend legal claims, and may be archived for administrative and/or probative purposes. In accordance with applicable data protection laws, data subject has the right to access, rectify, erase, restrict, object, request the portability or their personal data and the right to set guidelines on their personal data in case of death, together with the right to lodge a complaint before the competent supervisory authority. Data subject may exercise its rights by writing to: privacy@verifone.com. For more information regarding the processing of personal data carried out by Verifone, please click on this link: www.verifone.com/us/gdpr-privacy-policy.
Insofar as Verifone is not in a direct relationship with the data subject whose personal data are collected, you undertake to provide its employees concerned by the processing operations with all information relating to the processing of their personal data for the purposes described above.