Data Processing Agreement

Effective as of 09.04.2020

Last Updated 14.12.2020

This Data Processing Agreement ("DPA") forms part of, and is subject to, the provisions of SumUp’s Additional Terms of Use for E-commerce Services (the "Agreement", the "Additional Terms"), Privacy Policy and any other applicable SumUp terms and conditions (herein the "Terms", "Privacy Policy") concluded and agreed by and between you as SumUp’s merchant ("you", "Data Controller") and SumUp Limited, Block 8, Harcourt Centre, Charlotte Way, Dublin 2, Ireland D02 K580 ("SumUp", "we", "Data Processor"), part of SumUp S.A.R.L. Group Companies – SumUp Group.

Each party agrees and will ensure that the terms of this DPA shall also be fully applicable to its affiliates which may be involved in the processing of personal data for the Services defined in the Additional Terms. Specifically, SumUp will ensure that all sub-processors operate within the same terms as this DPA when processing Your Customer Data.

For the purposes of the personal data processing under this DPA, SumUp uses as a sub-processor, an entity, part of SumUp Group - Shoplo spółka z ograniczoną odpowiedzialnością, located in Warsaw, Poland (00-189) at Inflancka street 4C registered in Polish National Court Register (KRS), registration number: 417586, NIP: 5213630420 ("Shoplo").

In order to provide you with the Services under the Additional Terms, SumUp processes data of customers or visitors of your site or services ("Your Customers", "Customers"). The processing of such data by SumUp is hereinafter referred to as "processing" (as such term is defined under the GDPR). The following Data Processing Agreement sets forth the terms of such processing by SumUp.

  1. Definitions

    1. "Applicable Data Protection Legislation" means Regulation (EU) 2016/679 (the "General Data Protection Regulation", "GDPR", the "Regulation") as well as all other applicable legislation in force regulating the processing of personal data including as applicable e-Privacy Directive 2002/58/EC.

    2. The terms "controller", "data subject", "personal data", "process", "processing" and "processor" have the meanings given to these terms in the GDPR.

    3. "Content" means your Content and any content provided to SumUp from Your Customers, including, without limitation text, photos, images, audio, video, code, and any other materials.

    4. "Your Customers’ Data" means the personal data in the Content of Your Customer(s) as processed by SumUp, on your behalf, as part of the Services. Your Customers’ Data does not include personal data where such data is controlled by SumUp.

      All definitions that are used in the present DPA but do not have an explicit definition in this section will have the meaning defined in the Additional Terms. If there is no specific definition in the Additional Terms or the Terms, their meaning will be the one given in the GDPR or in the other applicable rules if not defined in the Regulation.

  2. Applicability. This DPA only applies in respect of Your Customers’ Data and only if the GDPR is applicable. You agree that SumUp is not responsible for personal data that you have chosen to process through third party services or outside of the Services, including the systems of any other third-party cloud services, offline or on-site storage.

  3. Details of Data Processing

    1. Subject Matter. The subject matter of the data processing under this DPA is Your Customers’ Data.

    2. Duration. As between you and us, the duration of the data processing under this DPA is determined by you and for the selected period for which you choose to use our Services.

    3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by you.

    4. Nature of the Processing. The Services as described in the Additional Terms and as initiated by you from time to time.

    5. Type of Personal Data. Your Customers’ Data relating to you, Your Customers or other individuals whose personal data are included in Content which is processed as part of the Services in accordance with the instructions given. These data include, but are not limited to, Your Customers’ names, e-mail address, mobile/phone number, physical address, bank details, transactional history, IP address. Special categories of personal data, data including that relating to criminal convictions and offences, are not deemed to be processed under the Services, they are excluded from the terms of this DPA. If such data is processed while using our Services, this is without the knowledge of SumUp and you should delete such information immediately after you identify such processing.

    6. Categories of Data Subjects. You, Your Customers, your customers’ potential customers and any other individuals whose personal data are included in the Content.

  4. Rights and Obligations

    1. To the extent Your Customers’ Data are processed by SumUp on your behalf and this processing is subject to the General Data Protection Regulation (Regulation (EU) 2016/679; the "GDPR"), you acknowledge and agree that for the purposes of provision of the Services by SumUp, you are the Data Controller of such personal data, and by using SumUp’s Services, you have instructed SumUp to process Your Customers’ Data on your behalf, pursuant to this DPA.

    2. You can revoke the acceptance of this DPA at any stage, but by doing so SumUp will no longer be able to provide you with the Service.

    3. SumUp in its capacity of personal data processor:

      1. a.

        processes Your Customers’ Data only for the purposes specified in the DPA and in accordance with the applicable law and the DPA;

      2. b.

        may only act and process Your Customers’ Data in accordance with your documented instruction, unless required by law, Court order or legislative measure, to act without such instruction. Your instruction, at the time of entering into this DPA, is that SumUp may only process Your Customers’ Data for the purpose of delivering the Services as described in the DPA and the Additional Terms. Subject to the terms of this DPA, and with mutual agreement of both parties, you may issue additional written instructions consistent with the terms of this DPA;

      3. c.

        guarantees that the persons authorized to process personal data have assumed the confidentiality obligation or are legally required to maintain confidentiality obligations;

      4. d.

        guarantees that the access to the personal data is granted on a need to know basis with respect to the performance of the Services under the Additional Terms;

      5. e.

        is responsible for ensuring that employees/sub-contractors and/or any agents processing Your Customers’ Data only process the personal data in accordance with your instructions;

      6. f.

        will inform you immediately in case we consider that some of your instructions contradict with Applicable Data Protection Legislation;

      7. g.

        is obliged to protect Your Customers’ Data under this DPA from any destruction, alteration, loss and any other unauthorised processing. For this purpose, SumUp takes appropriate security measures in accordance with applicable law. Technical and organisational measures applied by SumUp are depending on the technical advancement. It is possible that SumUp may introduce some alternative adequate measures. It is not possible to decrease the level of the defined security measures when introducing such alternatives. SumUp will assist you with appropriate technical and organizational measures as required and, considering the nature of the treatment and the category of information available to SumUp, help to ensure compliance with your obligations under the Applicable Data Protection Legislation.

      8. h.

        upon your reasonable request, makes available certifications demonstrating SumUp’s compliance with its obligations under this DPA and Applicable Data Protection Legislation; and/or makes available information necessary to demonstrate compliance with obligations under this DPA and Applicable Data Protection Legislation. The information to be made available by SumUp is limited to solely necessary information, taking into account the nature of the Services and the information available to SumUp, to assist you in complying with your obligations, especially with respect to art.32 and 36, GDPR (obligations in respect of data protection impact assessments, prior consultation and ensuring security of personal data);

      9. i.

        will assist you, within reasonable timeframes, by appropriate measures and, as reasonably possible (considering the nature of the processing), in complying with data subject rights and all other relevant obligations under data privacy regulations, including the GDPR;

      10. j.

        will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an individual whose personal data is included in your Content, or a binding demand from a government, law enforcement, regulatory or other body, in respect of Your Customers’ Data that we process on your behalf and instructions.

    4. You in the capacity of personal data controller:

      1. a.

        will collect, use and process personal data in the Content in accordance with any and all Applicable Data Protection Legislation;

      2. b.

        have sole responsibility for the accuracy, quality, and lawful processing of Your Customers’ Data and the means by which it was obtained;

      3. c.

        ensure the appropriate level of security when using the Services, taking into consideration any risks with respect to Your Customers’ Data;

      4. d.

        acknowledge that any storage and/or transfer that you make of Your Customers’ Data to any third-party or platform, other than SumUp, shall be at your sole risk and responsibility;

      5. e.

        ensure that your instructions with regards to personal data processing comply with all laws, regulations and rules applicable in relation to Your Customers’ Data. You will also ensure that the processing of Your Customers’ Data in accordance with your instructions will not cause or result in us or you being in breach of any laws, rules or regulations (including the GDPR).

  5. Breach Notifications. The party shall immediately inform the other party (but not later than 48 hours) after it becomes aware of a personal data breach in relation to personal data processed under this DPA. SumUp will assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Despite the foregoing, SumUp’s obligations under this section do not apply to incidents that are caused by you, any activity on your account and/or third-party services. SumUp is obliged to cooperate and support you regarding the investigation, the minimization of the negative consequences and rectification of the personal data breach as well as the prevention of future similar data breaches. SumUp’s notification of a personal data breach will not be deemed as an acknowledgement by SumUp of any fault or liability with respect to such incident. In the event of a personal data breach, you shall be obligated to take the measures required under applicable laws in connection with Your Customers’ Data.

  6. Sub-Processors. Hereby you grant SumUp general authorization to engage sub-processors in order to provide the Services without obtaining any further written, specific authorization. SumUp will execute an agreement with each sub-processor ensuring compliance by such sub-processor with terms ensuring at least the same level of protection and security as those set out in this DPA. If you object to any sub-processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Customers’ Data by the objected-to sub-processor. If we are unable to make available such suggested changes within a reasonable period of time, we will notify you and if you still object to our use of such sub-processor, you may cancel or terminate your account or, if possible, the portions of the Services that involve use of such sub-processor.

  7. Transfer of Personal Data. The Processing of Your Customers’ Data shall take place within the territory of the European Economic Area ("EEA"). Any transfer to and processing in a third country outside the EU/EEA that does not ensure an adequate level of protection according to the European Commission, shall be undertaken in accordance with the Standard Contractual Clauses (2010/87/EU) or other appropriate mechanism guarantying an adequate level of personal data security according to the requirements of Chapter V of the GDPR.

  8. Audits. You are entitled to initiate a review of SumUp’s obligations under this DPA once a year. If SumUp is required to do so under applicable legislation, audits may be repeated once a year. Both parties decide together if a third party should conduct the audit. However, you may allow us to have the security review carried out by a neutral third party of our choice, if it is a processing environment where multiple data controller’s data is processed. If the proposed scope of the audit follows an ISO or similar certification report conducted by a qualified third-party auditor within the previous twelve months, and SumUp confirms that there have been no material changes in the measures under review, this will satisfy any requests received within such timeframe. Audits may not unreasonably interfere with SumUp's business as usual activities. You are responsible for all costs associated with your request for audit review.

  9. Liability. The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Additional Terms and/or Terms. You agree that any regulatory penalties or claims by data subjects, or others, incurred by SumUp in relation to Your Customers’ Data that arise as a result of, or in connection with, your failure to comply with your obligations under this DPA or the Applicable Data Protection Law shall reduce SumUp’s maximum aggregate liability to you under the Additional Terms and/or the Terms in the same amount as the fine and/or liability incurred by us as a result.

  10. Termination. This DPA shall be in effect for as long you use any of SumUp’s Services. However if SumUp is obligated, according to the terms of this DPA or any of SumUp’s Terms and Conditions, to keep personal data of Your Customers following the termination of the Services, this DPA shall continue to be in effect for as long as SumUp is required to hold such personal data. Upon termination of the use of the Services, and unless SumUp is required to retain Your Customers’ Data under SumUp’s Additional Terms and/or Terms, any agreement or applicable laws, SumUp shall, including upon written request by you, delete the Your Customers’ Data as soon as reasonably practicable and according to SumUp’s Terms and applicable laws.

  11. Miscellaneous.

    1. In the event of contradiction between this DPA and any of SumUp’s Additional Terms and/or Terms, the provisions of this DPA shall govern.

    2. You are responsible for any costs and expenses arising from SumUp’s compliance with your instructions or requests pursuant to the Additional Terms (including this DPA) which fall outside the standard functionality made available by SumUp generally through the Services.

    3. SumUp shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time. Changes to the Agreement might be made by SumUp in a separate Annex or in another visible means and will be communicated appropriately.

    4. Any questions regarding this DPA or other personal data processing related requests should be addressed to us at SumUp will attempt to resolve any complaints regarding the use of Your Customers’ Data in accordance with this DPA, the Terms and SumUp internal policies.

    5. If any of the provisions of the DPA are deemed invalid, this does not affect the remaining provisions. The parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.

    6. This Agreement shall be governed by and construed in accordance with Irish law. Any dispute arising out of or in connection with the Agreement shall be finally referred to and resolved by the Courts of Ireland, except where prohibited by EU law.