Legal Overview
All you need to know about 2Checkout Legal
Data Privacy Provisions
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR" and/or the "Privacy Regulation") enters into force on May 25th, 2018 and applies to 2Checkout partners and providers in case of processing of personal data wholly or partly by automated means or other than by automated means which form part of a filing system or are intended to form part of a filing system, if any of the following criteria is met:
- the processing of personal data is done in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not;
- the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.
Please note that as part of our partnership both You ( e.g Merchant, Client, Provider, Affiliate network partner) and Verifone Payments B.V. (formerly known as Avangate B.V.) and its Affiliates companies part of the Avangate group of companies dba 2Checkout ("2Checkout" or "Avangate" or "Verifone Payments") are data controllers in respect of the personal data of Shoppers, End Users or Customers (the "Personal Data") and as such specific obligations are applicable to you. For sake of clarity Personal data is listed in the Privacy Policy available on 2Checkout platform.
While You are free to determine your own privacy policy, we note that for the entire duration our partnership and for the processing of Personal Data regulated by GDPR, You understands and agrees that certain minimum obligations and safeguards have to be put in place and made transparent to 2Checkout to ensure that no reputational or other loss occurs for either party.
SECTION I: UNDERTAKING IN RESPECT OF DATA PROCESSING UNDER GDPR
1. Parties will only disclose the Personal Data to the extent reasonably necessary for them to be able to perform their obligations under the Partnership and shall not use such Personal Data for any other purposes, except if legal requirements for such additional processing have been observed (e.g. Client consented in advance, legal obligations are in place and require processing).
2. You shall ensure that you have appropriate operational and technological processes and procedures in place to safeguard against any unauthorized or unlawful access, loss, destruction, theft, use or disclosure of the Personal Data as mentioned under Section III below.
3. Without undue delay, You shall notify 2Checkout:
3.1. but in no event after 24 hours of becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored or otherwise processed (provided that such breach qualifies to be notified to the supervisory authority pursuant to GDPR),
3.2. any investigation or request concerning the Personal Data by a public authority (including the supervisory data protection authority) unless otherwise prohibited, such as (but not limited to) a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
4. Upon reasonable request, You shall:
4.1. deal promptly and properly with all enquiries from 2Checkout relating to processing of the Personal Data;
4.2. submit its and shall procure that its (sub)processors submit relevant information about their data processing facilities, procedures and documentation relating to the processing of Personal Data Controller, to scrutiny by 2Checkout (or a third party authorized by 2Checkout).
5. Before exiting our partnership regardless of the reason, or earlier, upon 2Checkout motivated request, You shall destroy or delete permanently any Personal Data in its direct or indirect possession (including backup copies) and certify in writing to 2Checkout that it has done so (up to the extent that further retention is imposed by law or legitimate interest) unless the data is transferred according to a legitimate interest and as per applicable laws.
SECTION II: MUTUAL OBLIGATIONS UNDER GDPR
6. To the extent they are applicable due to the nature of the commercial relationship or due to Your obligations and 2Checkout in respect of processing of Personal Data, upon one or both parties the following obligations will be instated:
6.1. Parties shall maintain relevant records of processing (provided such other requesting party submits arguments for which it considers the commercial relationship as amounting to a data controller - data processor relationship);
6.2. Parties shall transfer or process personal data outside European Economic Area or European Union only with the observance of the GDPR and with prior notification to the other party;
6.3. Parties shall appoint or use third parties for the processing of Personal Data only with the observance of the GDPR;
6.4. Parties shall appoint a Data Protection Officer and/or a representative in the European Union and indicate the contact details thereof.
6.5. Parties shall notify each other within three (3) working days from their response to a Data Subject Request in respect of Personal Data. The Party that receives the Data Subject Request shall be primarily responsible for all communications with the Data Subject and the other party shall not be expected to provide any assistance in respect of Personal Data that is not under their control.
7. Where a party (the "Damaged Party") suffers Losses as a result of the breach by the other party of any of its representations and warranties or such other party fails or refuses to comply with any of its covenants or obligations contained above (the "Responsible Party"), then the Damaged Party shall be entitled to claim specific performance and/or full compensation from and be indemnified and held harmless by the Responsible Party for such Losses, including all costs and expenses, and seek all available legal remedies to put it in the position where it have been had the relevant breach or Loss have not occurred.
8. For the purpose of this paragraph, "Losses" shall mean any and all current and future damages, fines, fees, penalties, investments and expenses (including, without limitation (i) interests, (ii) court expenses, (iii) fees of attorneys, (iv) accountants and other experts or other expenses of litigation, (v) other proceedings or of any claim, (vi) all losses, damages or other payments due to data subjects based on final and enforceable authority order or court decision for non-observance of the GDPR incurred by a party as a result of the breach by the other party of its representations and warranties or of its obligations and covenants related to Personal Data processing.
SECTION III: MINIMUM REUIQREMENTS FOR TECHNICAL AND ORGANIZATIONAL MEASURES
9. Area of responsibility. You shall continuously comply with the minimum requirements set herein from both a technical and organizational measures for the processing of the Personal Data. It is Your responsibility that these requirements be observed and contractually binding to its employees, collaborators, agents, subcontractors etc. You shall remain fully liable to 2Checkout for their observance of these requirements.
10. Training and Awareness of relevant personnel. All personnel authorized by You to access Personal Data shall be trained and made aware of your responsibilities under GDPR and how to protect Personal data.
11. Restricted access to Personal Data of personnel. You shall ensure that those of its employees who are processing Personal Data are reliable and have had sufficient/adequate training pertinent to GDPR's obligations and that no other employees than the ones needed are allowed to access Personal Data. You shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All your personnel must access only the Personal Data required to perform their job assignments. For this purpose, You shall determine the types of access, by functionality (such as: administration, input, processing, rescue etc.) and after actions on personal data (such as writing, reading, deleting) procedures for these types of access. Anonymous data will be used to prepare users or make presentations.
12. Technical measures. All assets that process Personal data are in restricted area and out of reach from non-authorized personnel. Effective access to Personal data is recorded and may be tracked in case of data breach or non-authorized access. All software used is licensed and safe. Awareness policy and procedures in case of computer viruses or any other informatics attacks are in place and periodically tested.
SECTION IV: CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
13. Parties acknowledge that starting with January 1st, 2020, the California Consumer Privacy Act of 2018 (CCPA) enters into force and places new obligations on organizations that collect personal information of California consumers and the CCPA applies to a "business" that:
A. does business in the State of California, USA
B. collects personal information (or on behalf of which such information is collected),
C. alone or jointly with others determines the purposes or means of processing of that data, and
D. satisfies one or more of the following:
(i). annual gross revenue in excess of $25 million,
(ii). alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or
(iii). derives 50 percent or more of its annual revenues from selling consumers' personal information.
14. To the extend that CCPA provisions are applicable to Parties, please note that as part of our partnership both You and 2Checkout are "business" as defined in CCPA Section 1798.140(c).
15. Both parties individually and acting together as business to business are prohibited from:
(i). selling Personal Data;
(ii). retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services in the Agreement to the consumer; and
(iii). retaining, using, or disclosing the Personal Data outside of the Agreement between Parties. The obligations imposed on businesses by this Section shall not restrict the parties from conducting activities allowed by CCPA.
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR" and/or the "Privacy Regulation") enters into force on May 25th, 2018 and applies to 2Checkout partners and providers in case of processing of personal data wholly or partly by automated means or other than by automated means which form part of a filing system or are intended to form part of a filing system, if any of the following criteria is met:
- the processing of personal data is done in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not;
- the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.
Please note that as part of our partnership both You ( e.g Merchant, Client, Provider, Affiliate network partner) and Avangate BV and its Affiliates companies part of the Avangate group of companies dba 2Checkout ("2Checkout" or "Avangate") are data controllers in respect of the personal data of Shoppers, End Users or Customers (the "Personal Data") and as such specific obligations are applicable to you. For sake of clarity Personal data is listed in the Privacy Policy available on 2Checkout platform.
While You are free to determine your own privacy policy, we note that for the entire duration our partnership and for the processing of Personal Data regulated by GDPR, You understands and agrees that certain minimum obligations and safeguards have to be put in place and made transparent to 2Checkout to ensure that no reputational or other loss occurs for either party.
SECTION I: UNDERTAKING IN RESPECT OF DATA PROCESSING UNDER GDPR
1. Parties will only disclose the Personal Data to the extent reasonably necessary for them to be able to perform their obligations under the Partnership and shall not use such Personal Data for any other purposes, except if legal requirements for such additional processing have been observed (e.g. Client consented in advance, legal obligations are in place and require processing).
2. You shall ensure that you have appropriate operational and technological processes and procedures in place to safeguard against any unauthorized or unlawful access, loss, destruction, theft, use or disclosure of the Personal Data as mentioned under Section III below.
3. Without undue delay, You shall notify 2Checkout:
3.1. but in no event after 72 hours of becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored or otherwise processed (provided that such breach qualifies to be notified to the supervisory authority pursuant to GDPR),
3.2. any investigation or request concerning the Personal Data by a public authority (including the supervisory data protection authority) unless otherwise prohibited, such as (but not limited to) a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
4. Upon reasonable request, You shall:
4.1. deal promptly and properly with all enquiries from 2Checkout relating to processing of the Personal Data;
4.2. submit its and shall procure that its (sub)processors submit relevant information about their data processing facilities, procedures and documentation relating to the processing of Personal Data Controller, to scrutiny by 2Checkout (or a third party authorized by 2Checkout).
5. Before exiting our partnership regardless of the reason, or earlier, upon 2Checkout motivated request, You shall destroy or delete permanently any Personal Data in its direct or indirect possession (including backup copies) and certify in writing to 2Checkout that it has done so (up to the extent that further retention is imposed by law or legitimate interest) unless the data is transferred according to a legitimate interest and as per applicable laws.
SECTION II: MUTUAL OBLIGATIONS UNDER GDPR
6. To the extent they are applicable due to the nature of the commercial relationship or due to Your obligations and 2Checkout in respect of processing of Personal Data, upon one or both parties the following obligations will be instated:
6.1. Parties shall maintain relevant records of processing (provided such other requesting party submits arguments for which it considers the commercial relationship as amounting to a data controller - data processor relationship);
6.2. Parties shall transfer or process personal data outside European Economic Area or European Union only with the observance of the GDPR and with prior notification to the other party;
6.3. Parties shall appoint or use third parties for the processing of Personal Data only with the observance of the GDPR;
6.4. Parties shall appoint a Data Protection Officer and/or a representative in the European Union and indicate the contact details thereof.
7. Where a party (the "Damaged Party") suffers Losses as a result of the breach by the other party of any of its representations and warranties or such other party fails or refuses to comply with any of its covenants or obligations contained above (the "Responsible Party"), then the Damaged Party shall be entitled to claim specific performance and/or full compensation from and be indemnified and held harmless by the Responsible Party for such Losses, including all costs and expenses, and seek all available legal remedies to put it in the position where it have been had the relevant breach or Loss have not occurred.
8. For the purpose of this paragraph, "Losses" shall mean any and all current and future damages, fines, fees, penalties, investments and expenses (including, without limitation (i) interests, (ii) court expenses, (iii) fees of attorneys, (iv) accountants and other experts or other expenses of litigation, (v) other proceedings or of any claim, (vi) all losses, damages or other payments due to data subjects based on final and enforceable authority order or court decision for non-observance of the GDPR incurred by a party as a result of the breach by the other party of its representations and warranties or of its obligations and covenants related to Personal Data processing.
SECTION III: MINIMUM REUIQREMENTS FOR TECHNICAL AND ORGANIZATIONAL MEASURES
9. Area of responsibility. You shall continuously comply with the minimum requirements set herein from both a technical and organizational measures for the processing of the Personal Data. It is Your responsibility that these requirements be observed and contractually binding to its employees, collaborators, agents, subcontractors etc. You shall remain fully liable to 2Checkout for their observance of these requirements.
10. Training and Awareness of relevant personnel. All personnel authorized by You to access Personal Data shall be trained and made aware of your responsibilities under GDPR and how to protect Personal data.
11. Restricted access to Personal Data of personnel. You shall ensure that those of its employees who are processing Personal Data are reliable and have had sufficient/adequate training pertinent to GDPR's obligations and that no other employees than the ones needed are allowed to access Personal Data. You shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All your personnel must access only the Personal Data required to perform their job assignments. For this purpose, You shall determine the types of access, by functionality (such as: administration, input, processing, rescue etc.) and after actions on personal data (such as writing, reading, deleting) procedures for these types of access. Anonymous data will be used to prepare users or make presentations.
12. Technical measures. All assets that process Personal data are in restricted area and out of reach from non-authorized personnel. Effective access to Personal data is recorded and may be tracked in case of data breach or non-authorized access. All software used is licensed and safe. Awareness policy and procedures in case of computer viruses or any other informatics attacks are in place and periodically tested.