Font size:
100% 150% 200%
Colours:
White Black Full
Voice assistant:
Close "Easy read"
Voice assistant

We have a voice assistant to help you browse the website.

To use it, select and highlight the text and press the Speaker Icon
Card Machines
Online Payments
ePOS Systems
Get a quick quote
Your bespoke quote starts here
Get a quote
Our services
Security
Get a quick quote
Your bespoke quote starts here
Get a quote
Sectors
Get a quote
About us
Partnering with us
Contact us
We're here to answer your questions
Contact us
Support
Contact us
Get a quote
Log in
SCHEDULE 8 – DATA PROCESSING TERMS AND CONDITIONS

This schedule 8 applies when we are processing personal data on your behalf.

If the terms and conditions in this schedule 8 conflict with any of the other schedules of the agreement, this schedule 8 will take priority.

In case any of the bold terms are unfamiliar to you, a comprehensive glossary is available for reference here. The glossary provides explanations and definitions for better understanding of the terms used throughout the schedules.

1. DATA PROCESSING

1.1. When you provide customer data to us so we can process their transactions, you are the data controller of their personal data and we are the data processor.

1.2. We will also collect personal data from you as a data controller, including:

1.2.1. when you provide personal data about proprietors, partners, directors, employees or other authorised users;

1.2.2. when we use personal data about your customers to meet our anti-money laundering and fraud prevention obligations; and

1.2.3. when we use personal data about your customers to keep to any agreement that applies to us or any rules, by-laws, regulations and operating guidelines issued by the payment schemes from time to time.

1.3. We agree to keep our records of your authorised users up to date to the extent you or an authorised user informs us of any changes that may be reasonably required.

1.4. You agree to inform us without undue delay if any authorised user no longer has your authorisation to represent you in any correspondence or communication with us, including but not limited to if an authorised user stops working for you.

1.5. You agree to tell all data subjects that you will share their personal data with us, or with a category of recipient that reasonably includes us.

1.6. When we are acting as a data processor, the following applies:

1.6.1. You are responsible for meeting your obligations under data protection laws and for the instructions you give to us about processing (gathering, using and storing) personal data.

1.6.2. You must make sure all personal data transferred to us is accurate and up to date at the time it is collected, and is at all times collected, processed and transferred by you (and anyone acting on your behalf) in line with data protection laws.

1.6.3. Before you transfer any personal data to us, you must have given each data subject sufficient information (in an appropriate form) to make sure they understand how and why their personal data is being processed, and their rights relating to this, so we can process their personal data in a fair and lawful way, in line with the requirements of data protection laws.

1.6.4. We will only process your customers’ personal data for the purpose of providing our services, and only in line with your written instructions (whether in the agreement or otherwise), unless the processing is necessary under any applicable laws which apply to us. In this case, we will tell you about that legal requirement before processing that personal data. We may not tell you about the legal requirement if that applicable law says we cannot tell you.

1.6.5. We will only transfer personal data outside the United Kingdom in line with your written instructions (whether in the agreement or otherwise).

1.6.6. We will tell you if, in our opinion, an instruction we receive from you breaks, or is likely to break, any data protection laws.

2. YOUR WARRANTY

2.1. You assure us that you have all necessary rights to provide personal data to us, and have provided all relevant information and notices to data subjects, to enable us to process the personal information for the purpose of providing the services under the agreement.

2.2. You must promptly tell us about any changes to data protection laws or activities that may reasonably be considered to affect your ability to keep to the agreement.

3. OUR PERSONNEL

3.1. We will treat all personal data as confidential and use reasonable efforts to make sure that all our relevant employees and contractors, and any sub-processors, have made a commitment to keep personal data confidential.

3.2. We will take reasonable steps to check the reliability of any employee or sub-processor who may have access to the personal data, and make sure access is given only to people who need the relevant personal data in the course of work for us.

4. SECURITY

4.1. Both you and we must have, and keep to, written security policies that apply to processing personal data. Those policies should include obligations to:

4.1.1. assign internal responsibility for managing information security; 

4.1.2. devote adequate resources (including personnel) to information security; 

4.1.3. carry out appropriate checks on staff who will have access to personal data

4.1.4. require employees and others with access to personal data to enter into written confidentiality agreements and take part in training to make them aware of threats to information security.

4.2. We will put in place appropriate technical and organisational measures, including those set out in annex 2, to provide a level of security that is appropriate to the risks presented by processing personal data, particularly the risks of accidental or unlawful destruction, loss, alteration, or unauthorised release of or access to the personal data.

4.3. We will provide you with sufficient information, including when you reasonably request it, to help you comply with the security requirements of the Data Protection Laws in relation to personal data you instruct us to process as a data processor.

5. SUB-PROCESSING

5.1. You authorise us to appoint sub-processors without asking for your permission. We will give you a list of our sub-processors before you give us personal data about your customers under this agreement.

5.2. You authorise us to make transfers of personal data to sub-processors in countries or territories for which adequacy regulations exist under the data protection laws.

5.3. We will tell you about any intended change to any appointed sub-processor, to give you the opportunity to object to the change.

5.4. We will:

5.4.1. enter into a written contract with each sub-processor, which will contain terms equivalent to those set out in this schedule 8 that apply to us as a data processor

5.4.2. be liable to you for the sub-processor’s obligations if the sub-processor fails to meet its obligations relating to processing any personal data; and

5.4.3. tell you if we intend to engage a sub-processor who will process personal data in or from a country, territory or international organisation outside the United Kingdom for which there are no adequacy regulations under the data protection laws.

6. DATA SUBJECT REQUESTS

6.1. If we receive any data subject request, we will give you full details within three business days. You are responsible for replying to each such data subject request.

6.2. Where possible, we will give you any reasonable help you ask us for, in writing, to enable you to meet any data subject request in line with data protection laws.

7. INCIDENT MANAGEMENT

7.1. If a party to the agreement (namely, you or us) discovers a personal data breach relating to personal data we are processing as a data processor, that party must report the matter to the other and provide the following information to enable them to meet any obligations they have under data protection laws:

7.1.1. A description of the nature of the personal data breach, including the categories of personal data and an approximate number of people whose personal data is affected.

7.1.2. The likely consequences of the personal data breach.

7.1.3. A description of the measures taken or proposed to be taken to address the personal data breach, including measures to keep adverse effects to a minimum.

7.2. Immediately following any personal data breach, you and we will co-ordinate with each other to investigate the matter at no extra expense to each other. This includes:

7.2.1. helping with any investigation;

7.2.2. providing all relevant records, files and other documents and materials you or we need to keep to data protection laws or as reasonably required by you or us; and

7.2.3. taking reasonable and prompt steps to reduce the effects of, and minimise any damage resulting from, the personal data breach.

7.3. Except as specified in clause 7.4, you and we must not tell anyone else about a personal data breach involving personal data processed under this agreement without first getting written permission from the other.

7.4. You or we may inform someone else about a personal data breach involving personal data processed under this agreement where:

7.4.1. You or we are informing our insurers or legal advisors;

7.4.2. You or we are telling someone doing checks on the suitability of your or our business to act as a supplier

7.4.3. You are informing data subjects affected by the personal data breach;

7.4.4. You or we are required by law to tell a specific person or organisation about the personal data breach.

8. DATA PROTECTION IMPACT ASSESSMENT AND CONSULTATION

8.1. We will, if you ask, provide reasonable help with any data protection impact assessments you must carry out under data protection laws, and any consultations with a supervisory authority which are required under data protection laws, in connection with us processing personal data on your behalf.

9. DELETING OR RETURNING PERSONAL DATA

9.1. Except where clause 9.2 below applies, within 90 days of the date we stop processing personal data you provide to us as a data processor or the agreement ends (whichever is earlier) we will either: 

9.1.1. return a complete copy of all personal data to you in a secure and commercially reasonable way as specified by you and delete all other copies of personal data processed by us or a sub-processor; or 

9.1.2. delete all copies of personal data processed by us or any sub-processor.

We will give you written confirmation of this.

9.2. We do not have to return or delete any personal data that we are required by applicable laws to keep.

10. AUDIT RIGHTS

10.1. When we are acting as a data processor, we will, if you ask, demonstrate how we have met the requirements under this schedule 8 and allow you to audit our performance no more than once a year, unless you have good reason to suspect that we have not met our obligations under this schedule 8. Unless otherwise required by a supervisory authority, you must give us at least 30 days’ notice in writing to carry out the audit. If you have the audit carried out by a third party, they must first enter into a confidentiality agreement with us.

10.2. Before carrying out an audit under clause 10.1 above, you and we will agree the start date, scope, duration and confidentiality controls of the audit.

10.3. We may, if we have good reason, object to an independent auditor you want to appoint to carry out an audit under clause 10.1. In this case, you must appoint another auditor who, in our reasonable opinion, is not a competitor of ours.

11. COSTS

11.1. If your instructions exceed those reasonably required of a data processor under data protection laws, we will tell you this as soon as possible. We can then charge a reasonable fee for following those instructions.

11.2. You must pay our reasonable costs and expenses of providing any help under clause 9, and carrying out an audit under clause 11.

12. MISCELLANEOUS

12.1. Any obligation we have under the agreement in connection with processing personal data will continue after the agreement ends for any reason.

12.2. The terms of this schedule 8 will continue to apply after the agreement ends.

13. INDEMNITY 

13.1. You agree to indemnify us against (that is, fully reimburse us and accept all liability for) all any losses, claims, damages, costs and expenses (including legal fees and court fees) and other liabilities to customers in connection with the processing of their personal data, and legal and other professional costs arising out of or in connection with you failing to meet your obligations under this schedule 8.

ANNEX 1: DATA PROCESSING INFORMATION

This annex includes details relating to the processing of personal data.

Whose personal information we will process

Customers

Purposes of the processing

Processing for the purposes of providing payment services under the agreement.

Duration of the processing

The period of the agreement

Type of personal data

  • Name

  • Bank account details

  • Card information (such as card number, expiry date and so on)

  • IP address

  • Transaction information

  • Geo location

Sub-processors


Sub-processor

Location

Services

Any acquirer named in your merchant application form 
(or as specified by us from time to time)

Transaction acquiring

Optomany Ltd
(Part of the DNA Payments Group)

United Kingdom

Payment gateway

ANNEX 2: SECURITY MEASURES

We will have the following technical and organisational measures in place to protect personal data against accidental loss and unauthorised access or destruction.

1. SECURITY POLICIES

1.1. We assign specific personnel (employees, officers, agents, contractors, consultants, advisers and representatives) to be responsible for setting, reviewing and enforcing security policies and procedures.

1.2. Our security measures are set out in a security policy or other relevant guidelines and documents.

2. SECURITY SOFTWARE

2.1. Our IT systems that are used to process personal data have appropriate security software installed on them.

3. ACCESS CONTROLS

3.1. We limit access to personal data by having appropriate access controls. Access controls can include the following.

3.1.1. Requiring authentication and authorisation to gain access to our IT systems (for example, requiring users to enter a user ID and password).

3.1.2. Only allowing access to personal data the user needs to perform their role or the purpose they are given access to our IT systems for.

3.1.3. Having in place appropriate procedures for controlling access rights to personal data. For example, having appropriate procedures for withdrawing access to our IT systems when an employee leaves their job or changes role.

4. AVAILABILITY AND BACK-UP OF PERSONAL DATA

4.1. We regularly back up information on our IT systems and keep back-ups in separate locations.

5. SEPARATING PERSONAL DATA

5.1. We will, if appropriate, separate and limit access between network components and put measures in place to provide for separate processing (storage, amendment, deletion and transmission) of personal data collected and used for different purposes.

6. ENCRYPTION

6.1. We use encryption technology where appropriate to protect the personal data.

7. TRANSMITTING OR TRANSPORTING PERSONAL DATA

7.1. We have appropriate controls in place to keep personal data secure while it is being transmitted or transported.

8. PHYSICAL SECURITY

8.1. We have physical security measures in place to protect personal data. Such measures may include the following:

8.1.1. Buildings being appropriately secured.

8.1.2. Measures being taken to prevent personal data from being read, copied, amended or moved by anyone not authorised to do this.

8.1.3. Hard copy documents containing personal data only being taken off site where necessary to achieve the purposes of the agreement.

8.1.4. Paper records which contain confidential information (including personal data) being shredded after use, in line with industry standards.

9. STAFF TRAINING AND AWARENESS

9.1. We provide staff training on data security and privacy issues relevant to employees’ roles, and make sure that new employees receive appropriate training before they start their role (as part of the onboarding procedures).

9.2. Disciplinary action is taken against staff who do not keep to our policies and procedures relating to data privacy and security.

10. CHOICE OF SERVICE PROVIDERS

10.1. We assess a service provider’s ability to meet our security requirements before we appoint them.

10.2. The written contracts we have with service providers require them to have appropriate security measures in place to protect the personal data they have access to, and limit the use of that personal data, in line with our instructions.