In addition to the General Terms and Conditions, the following clauses apply to some ancillary services and /or any option offered to the Merchant for which it is expressly indicated that the Merchant is the data controller and that Ingenico FS is the data processor (hereinafter “the Option”).
The “GDPR Regulation” shall have the same meaning as the definition of “Data Protection Law” set out in the General Terms and Conditions.
1. Description of the processing
The processing of Personal Data that Ingenico FS performs as data processor when providing the Option under the concluded contract has the following characteristics:
- For each of the processing which purpose is specified below, the Merchant acts as data controller and undertakes to respect the obligations of the GDPR Regulation;
- Ingenico FS for its part, under each of these processing, acts as data processor of the Merchant and acts upon the documented instructions of the Merchant. Ingenico FS is not the data controller of such processing;
- The Merchant has selected the Option as the most appropriate means to perform the processing of Personal Data for the purpose herein specified;
- The purpose of the processing is the provision of the service related to Option as described in the concluded contract; .
- The Personal Data that are being processed are Personal Data that are received and handled during the processing of the Transactions such as Transaction data, including the card number, its expiry date, the date and the amount of the Transaction;
- The data subjects concerned by the processing are the holders of the payment means (i.e.: the Merchant’s customers) whose Personal Data are processed in the context of the Option;
- The Personal Data will be retained during the period that is indicated in the service description. After this term, subject to any contrary statutory, regulatory or contractual retention obligations imposing upon Ingenico FS another retention period for the Personal Data, said Personal Data will be erased or anonymized in accordance with article 2.g. Without prejudice to the backups performed by Ingenico FS, and provided the Ingenico Platform enables this, the Merchant can reduce this retention period. The Merchant assumes the responsibility for the period he chooses. The service description can foresee other modalities for the retention of the Personal Data and for the reduction of the retention period of the Personal Data. In such case such modalities which prevail over the provisions set out in this article;
2. Commitments of Ingenico FS
Ingenico FS shall implement, in the scope of its PCI DSS certified organisation, the appropriate technical and organisational measures that apply in the sector in which it is active in order for the processing to comply with the requirements set out in the GDPR Regulation. Ingenico FS guarantees to protect the rights of the data subjects. In its capacity of data processor, Ingenico FS commits to:
- Only to process the Personal Data upon the instruction of the Merchant, including with regards to transfers of Personal Data to a third country or to an international organisation, it being precised that the modalities in which the Option is provided as it is described in the concluded contract, constitutes the instructions of the Merchant;
- Ensure that its employees and the employees of its subcontractors (hereinafter referred as “Data sub-Processors”) that are authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- To the extent possible and taking into account the nature of the concerned processing, assist the Merchant, by appropriate technical and organisational measures for the fulfilment of its obligations to respond to requests for exercising the data subjects’ rights that are set out in the GDPR Regulation. To the extent permitted by law, the Merchant will be responsible for any costs resulting from the provision of such assistance by Ingenico FS;
- Taking into account the nature of the concerned processing and the information available to Ingenico FS, assist the Merchant in complying with its notification obligations provided for in the GDPR Regulation, which implies on the part of Ingenico FS that in the event of a Personal Data breach as defined in the GDPR Regulation, to notify the Merchant without undue delay after becoming aware of the Personal Data breach;
- Taking into account the nature of the concerned processing and the information available to Ingenico FS, assisting the Merchant in carrying out impact assessments relating to the protection of Personal Data, as well as for carrying out the consultation of the supervisory authority, where applicable. To the extent permitted by law, the Merchant will be responsible for any costs resulting from the provision of such assistance by Ingenico FS;
- At the choice of the Merchant and provided a law, regulation or a judicial or administrative authority does not require the retention of the Personal Data, delete all the Personal Data or return all the Personal Data at the end of the provision of the Option or at the end of the retention period and destroy all existing copies, except for backup copies and for Personal Data that is stored in log files which will be retained until the expiry of such back-up and log files according to Ingenico FS policies;
- Make available to the Merchant all information necessary to demonstrate compliance with the obligations laid down in this article and allow for and contribute to audits, including inspections, conducted by the Merchant or another auditor mandated by the Merchant;
In case of audits, the following principles shall be respected: the Merchant shall not ask more than one (1) audit per contractual year, unless Ingenico FS has seriously breached its obligations in which case the Merchant is entitled to request an additional audit. In order to conduct an audit, the Merchant informs Ingenico FS of the request by means of a registered letter with acknowledgement of receipt at least six (6) weeks prior to the scheduled audit date and shall include a detailed audit plan. In case of an audit that takes place following a serious breach committed by Ingenico FS, the Merchant will inform Ingenico FS forty-eight (48) hours in advance. The following principles shall apply in all circumstances: 1) the reference that applies to the audit will be the PCI reference that applies to the Service of Ingenico FS. In this respect it is expressly agreed that audits shall not include: financial data or Personal Data that do not concern the Merchant, any information of which the disclosure might affect the security of the systems and/or of data of Ingenico FS (in such case Ingenico FS shall provide legitimate motives for its refusal such as for example confidentiality or security reasons) or of other customers of Ingenico FS, and Software source code or any other tool used by Ingenico FS; 2) all costs related to such audit, including internal costs of Ingenico FS, shall be at the sole expense of the Merchant. Ingenico FS shall invoice all costs related to the audit, including working days of its staff to the Merchant, it being stressed that the daily rate of said working days is fixed at 1.400,00 EUR ; 3) the duration of the audit shall not take up more than three (3) working days. 4) the auditor shall not be allowed to take copies of documents, files, data or information, in total or partial, nor shall the auditor be allowed to take photos, to digitalise or to register audio video or computer records; neither can the auditor ask that all or part of such elements shall be provided or send to him; Ingenico FS may show sensible documents in a secured room (black room); 5) each auditor being a physical person, shall only be allowed at the site of Ingenico FS or at a site of its subcontractors, if the Merchant has provided information on its identity. The Merchant assures the probity of its mandated auditors irrespective whether they are employees of the Merchant or whether they are working for an external audit firm and the Merchant guarantees that the auditor shall respect the confidentiality obligations that are set out in the concluded contract; 6) the audit shall take place during working hours of Ingenico FS and shall be performed in such a manner as to not disturb the provision of the Service of Ingenico FS nor any other activity which is performed by Ingenico FS for the benefit of its other customers, which shall in any case have priority over the audit that is conducted; Ingenico FS shall be entitled at any moment to suspend the audit if the provision of the Service of Ingenico FS requires that resources and/or means used for the audit, are mobilised for other purposes.
- immediately inform the Merchant if, according to Ingenico FS, an instruction of the Merchant constitutes a breach of the GDPR Regulation;
3. Data sub-Processors
Ingenico FS is allowed to appoint one or more Data sub-Processors to carry out specific processing activities for Personal Data processed within the framework of the performance of the Option. The Data sub-Processors and their respective location are specified in the service description.
Ingenico FS may recruit additional Data sub-Processors or replace an existing Data sub-Processor provided it notifies the Merchant thereof ninety (90) days in advance in order to enable the Merchant to evaluate these changes and in the event the Merchant objects to such changes to terminate the use of the Option according to the following provisions. The Merchant shall have a period of thirty (30) days as from the notification made by Ingenico FS, to notify in writing any objections (the “Notice of Objections”). As Ingenico FS offers a shared service, and unless the parties have agreed on an alternative solution to these objections, the use of the Option may be terminated by either party by providing written notice at the latest within (30) days following the Notice of Objections. This termination will be effective after a period of thirty (30) days from the date of notification of the termination of the use of the Option and the Merchant will no longer be able to use the Option from that date. In the absence of a Notice of Objections within the aforementioned thirty (30) day period, the Option will continue to be provided by Ingenico FS to the Merchant with the assistance of the new Data sub-Processor.
In any event, to the extent that Ingenico FS appoints or replaces a Data sub-Processor to carry out specific processing activities of Personal Data in connection with the provision of the Option to the Merchant, obligations no less onerous than those relating to the protection of Personal Data as herein set out will be imposed on that Data sub-Processor. Ingenico FS in particular with regard to providing sufficient guarantees for the implementation of appropriate technical and organisational measures in a manner that meet the requirements of GDPR Regulation. Where that Data sub-Processor fails to fulfil its data protection obligations, Ingenico FS shall remain fully liable to the Merchant for the performance of that Data sub-Processor's obligations.
In case of an Emergency, as defined below, Ingenico FS is authorized by the Merchant to appoint another Data sub-Processor or to replace an existing Data sub-Processor with immediate effect, for carrying out specific processing activities. In such circumstances, Ingenico FS must notify the Merchant of such appointment or of such replacement without undue delay. The Merchant shall have a period of thirty (30) days as from the date of the notification made by Ingenico FS to notify in writing any objects (the “Notice of Objections)”). As Ingenico FS offers a shared service, and unless the parties have agreed on an alternative solution to these objections, the use of the Option may be terminated by either party by providing written notice at the latest within (30) days following the Notice of Objections. This termination will be effective after a period of thirty (30) days from the date of notification of the termination of the use of the Option and the Merchant will no longer be able to use the Option from that date. In the absence of a Notice of Objections within the aforementioned thirty (30) day period, the Option will continue to be provided by Ingenico FS to the Merchant with the assistance of the new Data sub-Processor. An Emergency is described as any event that rendered the provision of the Option reasonably or commercially excessively difficult.
4. Commitments of the Merchant
The Merchant commits to respect the obligations that apply to it according to the GDPR Regulation.
5.1. Transfers for Transaction processing needs
The Merchant is informed and acknowledges that, when providing the Option, Ingenico FS or its Data sub-Processors may be required to communicate the Personal Data to third parties involved in the transaction processing chain, including the acquirers, financial institutions and international payment schemes, with which Ingenico FS or its Data sub-Processors have no contractual relationship but whose intervention is necessary for the processing of the Transaction in accordance with the concluded contract and / or the instructions of the Merchant. This may lead to the transfer of Personal Data in a country outside the European Economic Area that does not have an adequate level of protection. In this case, it is the Merchant's responsibility to ensure that Ingenico FS and its Data sub-Processors may make such transfer of Personal Data in accordance with applicable laws and regulations.
5.2. Transfer resulting from the provision of Service by Ingenico FS
In the event that the use of a Data Sub-Processor by Ingenico FS requires the transfer of Personal Data in a country located outside the European Economic Area which does not have an adequate level of protection, Ingenico FS undertakes to implement a management solution for this transfer in accordance with the provisions of the GDPR Regulation.
To this end and to the extent that the envisaged framework solution consists of the signing of a data transfer agreement based on standard contractual clauses for the transfer of Personal Data to Data sub-Processors established in third countries which do not ensure an adequate level of data protection, adopted by the European Commission (such as these clauses could be amended or replaced), the Merchant, in its capacity as data exporter, hereby gives Ingenico FS the mandate to sign on its behalf and for its account, such data transfer agreement with the data importer(s) concerned.
In addition, if Ingenico FS is obliged to transfer Personal Data to a third country or to an international organization, under the law of the Union or the law of the Member State to which it is subject, Ingenico FS must inform the Merchant of this legal obligation prior to processing, unless the right concerned prohibits such information for reasons of public interest.
6. Requests from law enforcement authorities and other legal or administrative authorities
The communication by Ingenico FS of all Personal Data, to law enforcement authorities and other legal or administrative authorities (the “Authorities”), whenever such communication is requested by such Authority shall only be done if the Merchant has instructed Ingenico FS to do so unless Ingenico FS is obliged by law to 1) provide the information to such Authorities and 2) to do so without informing the Merchant thereof. In such event Ingenico FS shall provide such information to the Authorities without having the authorization from the Merchant and without having informing the Merchant of such processing of Personal Data.