DATA PROCESSING AGREEMENT FOR HOSTED OR ON-PREMISE SERVICES

This Data Processing Agreement (“DPA”) forms part of the commercial agreement for the provision of hosted or on-premise services (“Services”) (the “Agreement”) concluded by the Customer (as defined in the Agreement), on the one hand, and the applicable Visa entity who has entered into the Agreement (“Visa”), on the other hand. This DPA forms part of the Agreement under which Visa and its Affiliates Process Personal Information on the Customer’s behalf in connection with the Services.

Each of Visa and the Customer may be referred to herein as a “Party” and collectively as the “Parties.”

A. DEFINITIONS

1. For the purposes of this DPA, the following definitions shall apply:

“Adequacy Decision” means a decision adopted by a competent authority with jurisdiction over the Transfer declaring that a jurisdiction meets an adequate level of protection of Personal Information.

“Affiliates” means in relation to a Party, any entity which (directly or indirectly) controls, is controlled by and/or is under common control with that Party. 

For purposes of this definition, "control" means ownership or control of more than 50% of the voting interests or assets of the entity.

“Applicable Data Protection Laws” means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA.

For illustrative purposes only, “Applicable Data Protection Laws” include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), UK Data Protection Laws, the Gramm-Leach-Bliley Act (“GLBA”), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act (“CCPA”), Personal Information Protection and Electronic Documents Act, S.C. 2000, c.

5 (“PIPEDA”), Swiss DP Laws, Australian Privacy Act 1988 (including the Australian Privacy Principles), Singapore Personal Data Protection Act 2012, Japan Act on the Protection of Personal Information, Korean Personal Information Protection Act, People’s Republic of China Personal Information Protection Law, South Africa Protection of Personal Information Act, Hong Kong Personal Data Privacy Ordinance (PDPO), New Zealand Privacy Act 2020, Philippines Data Privacy Act, Argentina DPL, LGPD, Colombia DPL, Peru DPL, LOPDP, Uruguay DPL and any associated regulations or any other legislation or regulations that transpose, supersede or are deemed substantially similar to the above.

“Argentina DPL” means Law No 25.326 and its subsidiary regulations and other data protection or privacy legislation in force from time to time in Argentina. 

“LGPD” means the Brazilian Data Protection Law No. 13,709/2018, the “LGPD”), its subsidiary regulations and other data protection or privacy legislation or regulation in force from time to time in Brazil, including any regulation published by the Brazilian Data Protection Authority.

“Colombia DPL” means Law 1581 of 2012; Decree 1074 of 2015; Chapter V of the Circular Única of the SIC; Decree 090 of 2018; and all other regulation pertaining to data protection in Colombia. 

"LOPDP": refers to Ecuador's Organic Law on the Protection of Personnel, Decree 904 of 11/2023 (Regulation) and its subsidiary regulations and other data protection or privacy legislation in force from time to time in Ecuador.

"EU SCCs" means the EU Standard Contractual Clauses (Module 1 Controller to Controller and Module 2 Controller to Processor, as applicable) (EU 2021/914), available at eurlex.europa.eu/eli/ and incorporated into this DPA by reference, including the attached Annexes I and II included at Schedule 5 of this DPA.

"RIPD SSCs" means the the Model Contractual Clauses issued by Ibero-American Data Protection Network, which have been approved by Argentina’s Data Protection Authority through Resolution 198/2023, by Peru´s Data Protection Authority through Directorial Resolution N.° 0074-2022-JUS/DGTAIPD and Uruguay’s Data Protection Agency through Resolution N° 50/022 URCDP available in annex-model-contractual-clauses-en.pdf and incorporated into this DPA by reference, including the attached Annexes I and II included at Schedule 5 of this DPA.

“Brazilian SCCs” means the Standard Contractual Clauses approved by the Brazilian Data Protection Authority (ANPD) through Resolution CD/ANPD No. 19 of 23 August 2024 available in regulation-on-international-transfer-of-personal-data.pdf and incorporated into this DPA.

“Personal Information” means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or individual (“Data Subject”) or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Laws.

For the avoidance of doubt, this includes any information relating to a Data Subject as defined in the Agreement and as described in Schedule 3 to this DPA.

“Peru DPL” means Peru Personal Data Protection Law N° 29733, (as updated, amended and replaced from time to time), including all implementing and associated regulations or instruments.

“Process” or “Processed” or “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction.

“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information.

A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system”, a “breach of security safeguards” (as defined in PIPEDA) or similar term (as defined in any other applicable privacy laws).

“Swiss DP Laws” means the Federal Act on Data Protection of September 25, 2020 (as updated, amended and replaced from time to time), including all implementing ordinances.

“Transfer” means to transmit or otherwise make Customer Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection Laws.

"UK Data Protection Laws” means the UK GDPR as defined in section 3(10) and section 205(4) of the Data Protection Act 2018 ("UK GDPR"), together with the Data Protection Act 2018and other data protection or privacy legislation in force from time to time in the United Kingdom.

In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.

“UK SCCs Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, including Part 2 “Mandatory Clauses”.

“Uruguay DPL” means Data Protection Act No. 18.331 2008; 414 2009, 19.670 2018, No. 64 2020 (as updated, amended and replaced from time to time), including all implementing and associated regulations or instruments.

2. Unless otherwise defined in the Agreement or this DPA, all terms in this DPA shall have the definitions given to them in Applicable Data Protection Laws and the terms “controller” and “processor” shall include any equivalent or analogous term in other Applicable Data Protection Laws such as “business” and “service provider”.

B. PROCESSING OF CUSTOMER PERSONAL INFORMATION

1. Designation. The parties acknowledge and agree that, with respect to the Personal Information that Visa Processes on behalf of Customer (“Customer Personal Information”) to provide the Services, Visa is a “processor” and Customer is a “controller”.

The subject matter, duration, and purpose of the processing, including the type of Personal Information involved and the categories of Data Subject is set out in Schedule 3 to this DPA.

2. Notwithstanding the foregoing, the Customer acknowledges that Visa may perform certain Processing activities on Customer Personal Information in Visa's capacity as an independent controller for the purposes of complying with its own legal obligations including in relation to sanctions screening and Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF) checks.

3. Authorisation to Process. Visa will Process Customer Personal Information to provide the Services, and Customer authorises Visa to Process Customer Personal Information solely in connection with the following activities:

1. in accordance with the Agreement and any other applicable agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Services, and any Processing required under applicable laws or regulations;
2. the transfer of Customer Personal Information to downstream banks, wallet operators, wallet aggregators and/or clearing networks in order to complete a payment transaction; and
3. as reasonably necessary to enable Visa to comply with any other directions or instructions provided by Customer.
4. Customer acknowledges that Visa may Process Customer data (including Customer Personal Information) on its own account, as a controller where applicable, for the purposes and in the manner outlined in Visa’s Global Privacy Notice, including to generatede-identified, anonymized or aggregated datasets, or for other purposes provided that such processing is relevant to and not incompatible with the delivery, security and improvement of the Services and other related services offered by Visa and its Affiliates. www.visa.co.uk/legal/global-privacy-notice.html

4. Compliance with Law. Visa, in its provision of Services to Customer, and Customer, in its use of the Services, shall Process Customer Personal Information in accordance with Applicable Data Protection Laws.

To the extent necessary to enable each party to comply with its obligations under Applicable Data Protection Laws, each party further agrees to comply with any required provisions of the Schedule 1 (California Consumer Privacy Act) and/or Schedule 2 (General Data Protection Regulation) to this DPA, each, to the extent applicable.

5. Privacy Notice. Customer shall provide, or procure its customers to provide, Data Subjects with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable Visa to comply with Applicable Data Protection Laws and Process Customer Personal Information for the purposes envisaged in this DPA.

6. Data Subject Rights. Visa will, to the extent legally permitted, provide reasonable assistance to Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of the Services.

Where Visa receives any such request, it shall advise the Data Subject that the Customer is responsible for handling such requests by a Data Subject in accordance with Applicable Data Protection Laws.

7. Engaging with Sub-Processors. Visa shall ensure that when engaging with another processor (a “Sub-Processor”) for the purposes of carrying out specific Processing activities on behalf of Customer, there is a written agreement between Visa and the relevant Sub-Processor that provides, in substance, the same level of protection for Customer Personal Information as set forth in this DPA.

8. Demonstrating Compliance with this DPA. Visa shall make available to Customer information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits (up to once per year, save in the event of an actual Security Breach affecting Customer Personal Information, where clause 14 shall apply), including inspections conducted by Customer or another auditor under the instruction of the Customer for the same purposes of demonstrating compliance with the obligations set out in this DPA provided that:

1. the Customer gives Visa reasonable notice in advance of any audit (where permitted by laws or regulations);
2. the audit is carried out in a manner that causes the minimum possible disruption to Processor's business (including with respect to the length of the audit and the number and seniority of Processor personnel required to assist with the audit); and
3. the Customer and its third party auditor are subject to applicable Processor policies and confidentiality obligations.

In the acknowledgement of the time, expense and disruption to business associated with performing audits and inspections involving interviews and onsite visits, Customer agrees to only conduct such audits and inspections on condition that Customer can demonstrate that such audit or inspection is necessary beyond the information made available by Visa under this section.

For example, to the extent that Visa can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification or by providing Customer with an audit report issued by an independent third party auditor (provided that Customer will comply with appropriate confidentiality obligations as set out in this DPA and the Agreement and shall not use such audit report for any other purpose), Customer agrees that it will not conduct an audit or inspection under this section.

9. Cross-Border Transfer. Visa shall only Transfer any Customer Personal Information outside the Customer’s applicable jurisdiction, including, without limitation, outside the European Economic Area (“EEA”), the UK or Switzerland, Argentina, Brazil, Colombia, Ecuador, Peru, Uruguay and other LAC countries  in compliance with the Applicable Data Protection Laws.

Customer agrees and acknowledges that Visa Transfers and stores certain Customer Personal Information (including relating to individuals located in the EEA, Switzerland and/or the UK), Argentina, Brazil, Colombia, Ecuador, Peru, Uruguay and other LAC countriesin the United States.

Where required under any Applicable Data Protection Laws, the Customer agrees to apply appropriate safeguards, measures, or mechanisms, execute any notifications, obtain regulatory approval, and/or completes any review necessary to enable Transfers by Visa and/or its Sub-Processors under this DPA.

1. The EU SCCs will apply to any Transfer of Personal Information from Client to Visa that is subject to GDPR (or was subject to GDPR prior to its Transfer to Visa) and is not otherwise subject to an Adequacy Decision. The Parties agree that the EU SCCs are completed and incorporated by reference into this DPA as follows:
   1. Where Visa acts as a controller in accordance with Section B of this DPA, Module 1 of the EU SCCs shall apply (Controller to Controller).
   2. Where Visa acts as a processor under this DPA, Module 2 of the EU SCCs shall apply (Controller to Processor).
   3. Clause 7 (Docking Clause) is retained.
   4. For the purposes of Module 2 of the EU SCCs, in Clause 9, the Parties agree that Option 2 (General Written Authorization) will apply in accordance with clause 9 and Schedule 2, clause 1.2 of this DPA.
   5. The optional provision in Clause 11(a) of the EU SCCs shall not apply.
   6. In Clause 17, the EU SCCs will be governed by the laws of Ireland.
   7. In Clause 18, any dispute arising from the EU SCCs will be resolved by the courts of Ireland have jurisdiction for disputes arising in the EU SCCs.
   8. For the purpose of Annex I.C. of the EU SCCs, the Parties agree that the Irish Data Protection Commission be the competent Supervisory Authority for Transfers of Personal Information subject to the GDPR.
   9. Annexes I and II to the EU SCCs are the contained at Schedule 5 of this DPA.
2. The EU SCCs, as modified in this clause, will apply to any Transfer of Personal Information from Client to Visa that is subject to the Swiss DP Laws (or was subject to Swiss DP Laws prior to its Transfer to Visa) and is not otherwise subject to an Adequacy Decision:
   1. The term “EU Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
   2. References to the GDPR are to be understood as references to Swiss DP Laws.
   3. In Clause 17, the EU SCCs will be governed by the laws of Switzerland.
   4. In Annex I.C., the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority.
3. The UK SCCs Addendum, as incorporated by reference into this DPA, will apply to any Transfer of Personal Information from Client to Visa that is subject to the UK GDPR (or was subject to the UK GDPR prior to its Transfer to Visa) and is not otherwise subject to an Adequacy Decision. In such cases, the Parties agree:
   1. The UK SCCs Addendum including Part 2 ‘Mandatory Clauses’, are herein incorporated by reference and shall apply in full;
   2. In Table 1 of the UK SCCs Addendum, the names of the Parties, their roles and their details shall be set out in the Annex I, Schedule 5 of this DPA;
   3. Tables 2 and 3 of the UK SCCs Addendum, the version of the EU SCCs incorporated at clause I.1. of this DPA will apply, including the information set out in the Annexes to the EU SCCs; and
   4. In Table 4 of the UK SCCs Addendum, neither Party may end the UK SCCs Addendum.
4. The RIPD SSCs will apply to any Transfer of Personal Information from Client to Visa that is subject to Argentina DPL, Colombia DPL, Peru DPL, LOPDP or Uruguay DPL or other Data Protection Law Applicable in Latin America that approves the use of the RIPD SSCs (or was subject to them prior to its Transfer to Visa) and is not otherwise subject to an Adequacy Decision.
   1. The Parties agree that RIPD SSCs are completed and incorporated by reference into this DPA as follows:
   2. Where Visa acts as a controller in accordance with Section B of this DPA, Controller to Controller Clauses of the RIPD SSCs shall apply
   3. Where Visa acts as a processor under this DPA, Controller to Processor Clauses of the RIPD SSCs shall apply.
   4. Clause 5 (Docking Clause) is retained.
   5. For the purposes of Controller to Processor Clauses of the RIPD SSCs, in Clause 9, the Parties agree that Option 2 (General Written Authorization) will apply in accordance with clause 9 and Schedule 2, clause 1.2 of this DPA.
   6. The optional provision in Clause 8(a) of the EU SCCs shall not apply.
   7. Identification of the Parties, and Annexes B and C to the RIPD SSCs are the contained at Schedule 5 of this DPA.
5. The Brazilian SCCs will apply to any Transfer of Personal Information from Client to Visa that is subject to LGPD (or was subject to them prior to its Transfer to Visa) and is not otherwise subject to an Adequacy Decision.
   1. The Parties agree that RIPD SSCs are completed and incorporated by reference into this DPA as follows:
   2. Where Visa acts as a controller in accordance with Section B of this DPA, Controller to Controller Clauses of the Brazilian SCCs available in this page shall apply.
   3. Where Visa acts as a processor under this DPA, Controller to Processor Clauses of the Brazilian SCCs available in this page shall apply.

10. Staff. Visa shall ensure that persons authorised to Process Customer Personal Information are under an appropriate obligation of confidentiality in accordance with applicable laws or regulations governing the same.

11. Security of Processing. Visa shall comply with Schedule 4 of the Agreement (Visa Security Addendum) when providing the Services.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of natural persons, Visa will implement physical, technical and organizational measures to ensure a level of security appropriate to that risk.

In assessing the appropriate level of security, Visa shall, in particular, take into account the sensitivity of the Personal Information and the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed.

Visa shall provide reasonable assistance to Customer in ensuring Customer meets its own compliance obligations with respect to these same security measures.

12. Security Breach.

1. In the event of an actual Security Breach (defined above) affecting Customer Personal Information contained in Visa’s systems, Visa shall (i) investigate the circumstances, extent and causes of the Security Breach and report the results to Customer where legally permissible and continue to keep Customer informed on a periodic basis of the progress of Visa’s investigation until Visa determines that the issue has been effectively resolved.
2. Visa shall notify Customer without undue delay upon Visa becoming aware of an actual Security Breach affecting Customer Personal Information, providing the Customer with sufficient information and reasonable assistance to allow Customer to meet its obligations under Applicable Data Protection Laws to:
   1. notify a Supervisory Authority (as defined under Applicable Data Protection Laws) of the Security Breach; and (ii) communicate the Security Breach to the relevant Data Subjects.
3. Visa’s notice of or response to a Security Breach will not constitute an acknowledgement or admission by Visa of any fault or liability with respect to the Security Breach.
4. To the extent that a Security Breach was caused by Customer (including its officers, employees, agents, Affiliates, business partners, representatives and/or vendors) or its customers, Customer shall be responsible for the costs arising from Visa’s provision of assistance under this paragraph.

13. Deletion and Retention. Visa shall, at the choice of Customer, delete or return all Customer Personal Information upon termination of the Agreement and delete existing copies unless and to the extent storage is required by applicable law or regulation.

14. Customer Responsibility as Controller. With respect to the Customer's role as a controller in respect of the Services, it must do all of the following:

1. ensure that it complies fully with all Applicable Data Protection Laws and regulations with regard to Personal Information that it collects, stores, transfers, or otherwise Processes;
2. provide appropriate prior information to the Data Subjects about the intended Processing of Personal Information by the Customer and Visa;
3. provide accurate data regarding the relevant Data Subjects to Visa, including informing Visa when Personal Information must be corrected, updated, or deleted;
4. ensure that it has a lawful basis for the processing of any Personal Information, including processing of any Personal Information by Visa; and
5. notify Visa, following contact from any given regulatory authority in relation to data Processed by Visa, unless applicable laws or regulations prohibit such notification.

C. MISCELLANEOUS

15. Any notice of termination of this DPA must be in writing and comply with the procedures for termination set out in the Agreement.

In any event, unless otherwise agreed in writing by the Parties, this DPA shall remain in effect until the later of (i) the expiration or termination of the Agreement; and (ii) the cessation of Visa’s Processing of Customer Personal Information on the Customer’s behalf in connection with the Services.

16. The terms of this DPA shall apply only to the extent required by Applicable Data Protection Laws.

To the extent not inconsistent herewith, the applicable provisions of the Agreement (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA.

In the event of any conflict between this DPA and the terms of the Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Laws, and, in all other respects, the terms of the Agreement shall control.

Notwithstanding any term or condition of this DPA, this DPA does not apply to any data or information that is not Personal Information, that has been aggregated, anonymized or de-identified in accordance with Applicable Data Protection Laws, or to the extent that Visa and the Customer have entered into separate data processing terms that address the subject matter hereof.

17. The Customer agrees that Visa may, without the need to obtain any further consent or notify the Customer, use, distribute, transfer or sublicence any aggregated, de-identified or anonymized forms of data provided under this DPA or the Agreement.

Notwithstanding any term or condition of this DPA, this DPA does not apply to any data or information that does not relate to one or more identifiable living individuals under Applicable Data Protection Laws.

This Schedule supplements the DPA to address certain provisions of the California Consumer Privacy Act of 2018 and its implementing regulations, as amended or superseded from time to time (California Civil Code §§ 1798.100 to 1798.199) (collectively, the “CCPA”) and other applicable U.S. state consumer privacy laws (together with the CCPA, “State Consumer Privacy Laws”).

1. APPLICATION

1.1 This Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the State Consumer Privacy Laws apply to Customer’s use of Services (the “Services”).

Notwithstanding anything else to the contrary, the parties agree that this Schedule does not apply to any information that is collected, processed, sold or disclosed by the parties subject to the Gramm-Leach-Bliley Act (“GLBA”).

1.2 Capitalised terms not defined herein have the meaning assigned to them under the DPA or the Agreement or, if not defined therein, in the State Consumer Privacy Laws, as applicable.

1.3 In the event of a conflict between this Schedule and the Agreement or DPA, this Schedule will control, to the extent necessary to ensure compliance with the State Consumer Privacy Laws.

2. DATA PRIVACY ROLES AND OBLIGATIONS

2.1 For purposes of this Schedule, the Parties acknowledge that, with respect to Personal Information Visa processes on behalf of Customer under the Agreement that is not processed pursuant to GLBA (a) Customer acts as a Business or Controller within the meaning provided by the State Consumer Privacy Laws and this Schedule; and (b) Visa acts as a Service Provider or Processor within the meanings provided by the State Consumer Privacy Laws.

2.2 Each Party shall comply with its obligations under the State Consumer Privacy Laws in respect of any Personal Information Processed under this Schedule.

Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Consumer, including those that have opted out from sales or other disclosures of Personal Information, to the extent applicable under the State Consumer Privacy Laws.

3. VISA OBLIGATIONS

3.1 In its role as a Processor, Visa:

1. Will protect and secure Customer Personal Information in accordance with the State Consumer Privacy Laws and shall provide the same level of privacy protection as is required by such laws;
2. Will Process Customer Personal Information only for the specific business purposes set forth in the Agreement;
3. Except as permitted by the State Consumer Privacy Laws, will not sell or share, within the meanings provided by the State Consumer Privacy Laws, Customer Personal Information or retain, use, or disclose Customer Personal Information (i) for any purpose other than as necessary to fulfil the business purposes set forth in the Agreement, including retaining, using, or disclosing Customer Personal Information for a commercial purpose other than the business purpose set forth in the Agreement; or (ii) outside of the direct business relationship between Visa and Customer;
4. Will not combine the Customer Personal Information with Personal Information that it receives from or on behalf of any other person(s) or entity(ies), or collects from its own interaction with an individual, except as otherwise permitted by the State Consumer Privacy Laws;
5. Will implement reasonable security procedures and practices, appropriate to the nature of the Customer Personal Information, designed to protect the Customer Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;
6. Will notify Customer of any material changes in Visa’s ability to meet its obligations under the State Consumer Privacy Laws, including but not limited to any determination that Visa can no longer meet its obligations under this Schedule;
7. Will enter into agreements with any sub-processors used to Process Customer Personal Information that comply with the State Consumer Privacy Laws, including, without limitation, any contractual requirements for Service Providers and contractors;
8. Will provide reasonable cooperation to Customer, upon request, to enable Customer to comply with consumer requests made pursuant to the State Consumer Privacy Laws;
9. Grants Customer the right to take reasonable and appropriate steps in accordance with the Agreement to ensure that Visa uses Customer Personal Information in a manner consistent with Customer’s obligations under the State Consumer Privacy Laws; and
10. Grants Customer the right, upon notice, and in accordance with the Agreement to take reasonable and appropriate steps to stop and remediate Visa’s unauthorized use of Customer Personal Information. Visa certifies that it understands its obligations, including restrictions, imposed upon it by the State Consumer Privacy Laws with respect to Customer Personal Information and will comply with them.

3.2 Notwithstanding the above, Visa may retain, use or disclose Customer Personal Information as permitted under the State Consumer Privacy Laws, including:

1. To retain and employ another Service Provider or contractor as a subcontractor in accordance with this Schedule and any other applicable terms of the Agreement where the subcontractor meets the requirements for a Service Provider, contractor, or subcontractor under the State Consumer Privacy Laws;
2. For its internal use to build or improve the quality of the Services, provided that Visa does not use the Customer Personal Information to perform services on behalf of another person;
3. To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity;
4. For any other purpose expressly contemplated or permitted by the State Consumer Privacy Laws or other applicable law.

This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when (i) Visa Processes Customer Personal Information on behalf of the Customer to provide the Services; and (ii) the GDPR applies to Customer's use of the Services or to the extent Applicable Data Protection Laws (other than the GDPR) impose a comparable requirement to that outlined under this Schedule 2.

Capitalised terms not defined herein have the meaning assigned to them under the DPA.

To the extent that there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.

In accordance with paragraph 3 of this DPA and for the purposes of this Schedule 2, the term "Processor" means Visa.

1. Additional Processor Obligations

1.1 Processing of Customer Personal Information.

Processor shall Process Customer Personal Information pursuant only to documented reasonable instructions from Customer (including instructions with respect to Transfers of Customer Personal Information to a third country, if applicable) unless Processor is required to otherwise Process Customer Personal Information by Applicable Data Protection Laws.

In such circumstances, Processor shall inform Customer of that legal requirement before Processing, unless prohibited from doing so by applicable law, on important grounds of public interest.

1.2 Use of Sub-Processor

1.2.1 Processor will not engage any Sub-Processor without the specific or general written authorisation from Customer.

In accordance with this section 1.2 of this GDPR Schedule, Customer provides authorisation for Processor to engage with the Sub-Processors detailed in the Processor's Sub-Processor list as provided in Schedule 4 of this DPA.

1.2.2 Where Processor engages a Sub-Processor, Processor shall ensure that the Customer is notified of that engagement.

Processor shall provide Customer with a reasonable timeframe for Customer to reasonably object to the engagement of that Sub-Processor and the Customer agrees and hereby consents for Processor to engage the relevant Sub-Processor where the Customer fails to raise reasonable objections within the applicable timeframe.

If the Customer reasonably objects to the engagement of a Sub-Processor within the applicable timeframe, Processor may choose one of the following:

(i) decide not to use the Sub-Processor for that processing activity; (ii) take the commercially reasonable corrective steps requested by the Customer in its objection (which remove the Customer's objection) and proceed to use the Sub-Processor; or (iii) suspend or terminate the provision of the services that require the use of the Sub-Processor.

2. Data Protection Impact Assessments and Prior Consultation with Regulator

2.1 Processor shall immediately inform Customer if, in Processor’s opinion, Customer’s instructions would be in breach of Applicable Data Protection Laws.

Customer agrees that Processor shall be under no obligation to take actions designed to form any such opinion.

2.2 Processor shall provide reasonable assistance to Customer with any legally required:

(a) data protection impact assessments; and (b) prior consultations initiated by the Customer with its regulator in connection with such data protection impact assessments.

Such assistance shall be strictly limited to the Processing of Customer Personal Information by Processor on behalf of Customer under the Agreement taking into account the nature of the Processing and information available to Processor.

Duration:

The duration of Processing is the period during which Visa provides the Services to the Customer and any additional period required to fulfil Visa’s contractual obligations with the Customer or applicable laws.

Visa may retain data for archiving purposes in accordance with the applicable laws and Visa’s record management policies.

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1. Name: Customer

Address: See the Agreement

Contact person’s name, position and contact details:

Activities relevant to the data transferred under these Clauses:

Receiving Services pursuant to the Agreement

Role (controller/processor): Controller

Signature and date:

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: Visa

Address: See the Agreement

Contact: [email protected]

Activities relevant to the data transferred under these Clauses: Providing Services pursuant to the Agreement

Role (controller/processor): Processor as to Services provided pursuant to the Agreement

Signature and date:

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The Customer’s customers, which means:

a direct customer of Customer or any downstream customer of Customer’s direct customer where Customer has chosen to route payments made on behalf of their customer via the Services

Categories of personal data transferred

Customer names, customer addresses, customer date of birth, customer phone numbers, customer cards, customer transactions and behaviour, as described in more detail in the applicable data schema for the Services

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

Collecting, reviewing, analyzing, storing and otherwise processing Personal Information to provide the Services as described in the Agreement.

Purpose(s) of the data transfer and further processing

As necessary for the provision of the Services that are described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The term of the Agreement or as permitted by Applicable Data Protection Laws and for a period of time thereafter in the production environment and in the back-up environments unless the Personal Information is deleted prior to the termination or expiration of the Agreement per Customer’s instructions.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For the purpose of providing the Services to Customer for the duration of the Agreement unless the Personal Information is deleted prior to the termination or expiration of the Agreement in accordance with Customer’s instructions.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDINGTECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITYOF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

EU-527351
Confidential
EU-527351