DATA CONTROLLER AGREEMENT
I.- That the MERCHANT has a [Digital Payment System Agreement/Technical Solution Provider Agreement/International Payments Facilitation] (“Service Agreement”) entered into with PAGSEGURO INTERNATIONAL.
II.- That PAGSEGURO INTERNATIONAL is a company dedicated to providing digital payment system and other additional services for digital software and entertainment companies, specializing in monetization, publishing and offering local methods of payment for end users, enabling payment solutions to merchants and customer across the globe.
III.- That PAGSEGURO INTERNATIONAL has two modalities of checkout: (i) one named DIRECT/TRANSPARENT in which the end users only access the MERCHANT’s pages, its data is sent to PAGSEGURO INTERNATIONAL by the MERCHANT and PAGSEGURO INTERNATIONAL acts as PROCESSOR for MERCHANT; and (ii) another named HOSTED, in which the end users are redirected by MERCHANT to a PAGSEGURO INTERNATIONAL page and each party acts as a CONTROLLER.
IV.- That PAGSEGURO INTERNATIONAL also offers the PAYOUT service, which allows the MERCHANT to send payment to end users. The end users only access the MERCHANT’s pages, its data is sent to PAGSEGURO INTERNATIONAL by the MERCHANT and PAGSEGURO INTERNATIONAL acts as a PROCESSOR for MERCHANT
V.- For the PAYOUT and DIRECT/TRANSPARENT checkout, PAGSEGURO INTERNATIONAL will process personal data of end users contained in the files owned by the MERCHANT. Therefore, as a result of the services hired by the MERCHANT, PAGSEGURO INTERNATIONAL will act as a PROCESSOR and have access to a file containing personal data (basic level), which is the property of the MERCHANT, which will act as a CONTROLLER.
VI.- For the HOSTED checkout, the end users will be directed by MERCHANT to access a specific PAGSEGURO INTERNATIONAL page, in which the end users will agree to PAGSEGURO INTERNATIONAL’s Terms of Use and Privacy Policy and, afterward, end users will be able to use the payment solutions offered by PAGSEGURO INTERNATIONAL to conclude the payment for digital software or digital product or service to MERCHANT, and PAGSEGURO INTERNATIONAL and MERCHANT both shall act as CONTROLLERS.
VII.-The parties have agreed, to enter into this PERSONAL DATA PROCESSING AGREEMENT in accordance with the following:
PROVISIONS
FIRST. – PURPOSE OF THE AGREEMENT
The purpose of this agreement is to illustrate the two possible relations the Parties may have between them, as well as the obligations of each Party regarding the processing of personal data in each scenario.
For the PAYOUT and DIRECT/TRANSPARENT checkout, the end users only access the MERCHANT’s pages. The MERCHANT is the one responsible for providing all the services relating to the sending of payment to end users, and the acquisition of digital software or digital product or service, including the checkout and payment system. MERCHANT engages PAGSEGURO INTERNATIONAL to provide the checkout and/or payment system, under MERCHANT’s name and supervision. Therefore, MERCHANT remains responsible for compliance with the data protection rules, in particular with respect to end users rights. MERCHANT is also responsible for determining and effectively controlling and transferring personal data to PAGSEGURO INTERNATIONAL, so that PAGSEGURO INTERNATIONAL may provide its services. For the PAYOUT and DIRECT/TRANSPARENT checkout PAGSEGURO INTERNATIONAL will act as a PROCESSOR and the MERCHANT will act as a CONTROLLER (“PROCESSOR/CONTROLLER”).
For the HOSTED checkout, the end users are redirected from the MERCHANT’s page to a PAGSEGURO INTERNATIONAL page to provide the information and agree to PAGSEGURO INTERNATIONAL’s Terms of Use and Privacy Policy. PAGSEGURO INTERNATIONAL collects the data necessary to provide its services directly from the end user and is responsible for determining which information and how the information will be used to provide its services. Both Parties act as CONTROLLERS (“CONTROLLER/CONTROLLER”).
For the PROCESSOR/CONTROLLER:
(i) PAGSEGURO INTERNATIONAL shall process personal data included in files of the MERCHANT or obtained by PAGSEGURO INTERNATIONAL as a result of the provision of services to MERCHANT, as a consequence of and for the purpose of the provision of services agreed in the Service Agreement signed between the MERCHANT and PAGSEGURO INTERNATIONAL.
(ii) The processing of the personal data by PAGSEGURO INTERNATIONAL will be carried out as a consequence of the storage of personal data of users by MERCHANT for the processing of payments subject to the Service Agreement.
(iii) This agreement grants to PAGSEGURO INTERNATIONAL access to personal data stored by MERCHANT. At all times, the use and purpose of the processing of the personal data will remain under the control of the MERCHANT.
(iv) PAGSEGURO INTERNATIONAL will only have access to personal data to the extent required to complete the purpose set forth above.
For the CONTROLLER/CONTROLLER:
(i) the Parties shall process personal data that was directly provided to them by the end users as a result of the Service Agreement.
(ii) this agreement does not limit what each Party can do with such personal data, provided the Service Agreement is fulfilled and the Parties have collected the personal data in accordance with provisions of the applicable Data Protection Regulation and have obtained all the necessary authorizations and consents of the end users. The processing of the data which is not directly related to the Service Agreement will remain the exclusive responsibility of the Party carrying out the processing, and such Party will keep the other one exempt of any responsibility for such processing, including obligations relating to the compliance with the applicable Data Protection Regulation and obligations before the end users and shall pay full compensation for any damage incurred for processing personal data not related to a Service Agreement.
SECOND. – VALIDITY; TERM
This agreement shall remain in force as of the date first written above (the “Effective Date”), and during entire contractual relationship between the parties under a Service Agreement (the “Term”).
This agreement is an integral part of the Service Agreement, binding upon the parties and their respective successors and assignees. The Service Agreement will govern this agreement concerning termination, indemnification and confidentiality.
This agreement shall be considered terminated, without the need of any notice, in the event that the Service Agreement signed between MERCHANT and PAGSEGURO INTERNATIONAL is terminated, for any cause, including the expiration of the term provided for in the Service Agreement.
THIRD. - OBLIGATIONS OF PAGSEGURO INTERNATIONAL FOR PROCESSOR/CONTROLLER
- a) PAGSEGURO INTERNATIONAL agrees to process the personal data in accordance with the provisions of the Data Protection Regulations applicable to PAGSEGURO INTERNATIONAL, and the instructions provided by the MERCHANT in writing. In the event of any conflict between the MERCHANT’s instructions and Data Protection Regulations, the Data Protection Regulations shall prevail.
- b) PAGSEGURO INTERNATIONAL will guarantee that persons authorized to process the personal data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality;
- c) PAGSEGURO INTERNATIONAL agrees to assist the MERCHANT, where necessary and upon request, in ensuring compliance with the obligations deriving from the personal data processing. PAGSEGURO INTERNATIONAL commits to make available all information necessary to demonstrate compliance with the obligations laid down in this PERSONAL DATA PROCESSING AGREEMENT.
- d) PAGSEGURO INTERNATIONAL will, at the choice of the MERCHANT, delete or return to the MERCHANT all the personal data after the end of the provision of services relating to processing, and delete existing copies, unless there is a legal requirement or authorization to retain the personal data;
- e) PAGSEGURO INTERNATIONAL undertakes to obtain the prior express authorization of MERCHANT to subcontract, on PAGSEGURO INTERNATIONAL’s own account, certain services of a SUB-PROCESSOR (as defined below). MERCHANT’s prior express authorization is not required to SUB-PROCESSORS already retained by PAGSEGURO INTERNATIONAL prior to the Effective Date, and this agreement ratifies the MERCHANT’s consent to the retaining of such SUB-PROCESSORS occurred prior to the Effective Date, which, in any event, will be subject to Provision Seventh, below.
FORTH. – OBLIGATIONS OF THE MERCHANT FOR PROCESSOR/CONTROLLER
- The MERCHANT represents and warrants that (i) it has collected personal data in accordance with the provisions of the applicable Data Protection Regulations, and (ii) it has obtained all the necessary authorizations and consents to engage PAGSEGURO INTERNATIONAL for the services provided under the Service Agreement, and for PAGSEGURO INTERNATIONAL’s access to personal data pursuant to this agreement.
- For personal data to be collected by the MERCHANT as of the Effective Date, the MERCHANT must maintain valid the representations and warranties contained in item (a) of this Provision Forth, at all times during the Term.
- The MERCHANT shall maintain complete records of data processing activities under its responsibility, containing at least all of the following information: (i) the name and contact details of the MERCHANT and, where applicable, the MERCHANT's representative and the MERCHANT’s data protection officer; (ii) the purposes of the processing; (iii) a description of the categories of personal data processed, and whether the holders of personal data are identifiable or not, (iv) the categories of recipients to whom the personal data may be disclosed; (v) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; (vi) where possible, the envisaged time limits for deletion and exclusion of the different categories of data; (vii) where possible, a general description of the technical and organizational security measures applicable.
- In the event the applicable legislation so requires, the MERCHANT shall designate a representative before the European Union for the processing of personal data.
- The MERCHANT agrees to record the instructions of users regarding the processing of personal data, including any consents to transfer of personal data to a third country or an international organization.
- The MERCHANT shall pay full compensation to PAGSEGURO INTERNATIONAL for any damage incurred by (including indemnities, disbursement of any nature, court fees and attorney’s fees) PAGSEGURO INTERNATIONAL or its authorized subcontractors for processing personal data as requested by or agreed with the MERCHANT. This provision does not cancel or limit any other indemnity provision set forth in the Service Agreement.
FIFTH. – OBLIGATIONS OF THE PARTIES FOR CONTROLLER/CONTROLLER
- a) The Parties further declare and warrant that they have full knowledge of the applicable laws and regulations in relation to personal data, sensitive data or data that is subject to confidentiality under the terms of specific regulations, which includes privacy and information relating to the activities provided for in this PERSONAL DATA PROCESSING AGREEMENT and the Service Agreement, and that they have all the necessary authorizations to process and, where applicable, share such information. The Parties further undertake to strictly respect all regulations regarding data protection and privacy or other applicable regulations (including making declarations and obtaining the necessary authorizations), guaranteeing this to the other Party and indemnifying it in full for all damages resulting from any and all violations of these laws and regulations.
- b) The Parties agree to:
(i) guarantee full compliance, legitimacy, legality and observance of the precepts of the law with respect to personal data shared between them;
(ii) carry out the collection, processing and sharing of personal data in accordance with current legislation, as well as be supported by one or more of the legitimate legal basis provided for in the applicable legislation for the processing activities carried out. If requested by the competent authorities or the end user, the Parties must present the legal basis that justifies the treatment and sharing of personal data with the other Party, exempting the other Party from any responsibility related to the treatment and sharing of personal data under the conditions established in this PERSONAL DATA PROCESSING AGREEMENT and the Service Agreement;
(iii) when applicable, communicate the other Party in a reasonable time, if the Party receives a request, notification or question from the competent authority or the end user regarding the personal data and this impacts the other Party;
(iv) when applicable, communicate the other Party in a reasonable time whenever it becomes aware of a personal data breach relating to data processed in connection with the Service Agreement.
- c) The Parties, within their respective roles and obligations, adopt and will adopt the necessary measures to ensure that the end users exercise their rights in accordance with the legislation, at no cost to the end user.
- d) The Parties shall adopt necessary and appropriate security, technical and administrative measures to protect personal data in its confidentiality, availability and integrity, not limited to protection against unauthorized access and accidental or unlawful situations of destruction, loss, change, communication or any form of improper, unlawful or non-compliant treatment with the technical-normative guidelines of regulatory agencies.
- e) Each Party may subcontract part or all of its services under the Service Agreement. The other Party’s prior express authorization is not required to subcontract any services, and this agreement ratifies the other Party’s consent to the retaining of such processors or sub-processors. The processor or sub-processor will be obliged to fulfill substantially the same obligations established in this PERSONAL DATA PROCESSING AGREEMENT. Each Party will be exclusively responsible, on its own account, for any subcontracting of its services.
- f) The Parties, within their respective roles and obligations, will remain responsible for maintaining all the registries relating to the processing activities carried out.
SIXTH. – SECURITY MEASURES FOR CONTROLLER/PROCESSOR
PAGSEGURO INTERNATIONAL will maintain an incident response function capable of identifying, mitigating the effects of and preventing the recurrence of personal data security breach incidents. If an incident occurs, PAGSEGURO INTERNATIONAL will:
- a) Promptly take all necessary measures to prevent any further impairment of the MERCHANT data;
- b) Notify the MERCHANT within twenty-four (24) hours of the incident being found out and provide a written report in three (3) additional days;
- c) Respond promptly to any reasonable request from the MERCHANT for detailed information related to the incident.
SEVENTH. – SUBCONTRACTING FOR CONTROLLER/PROCESSOR
PAGSEGURO INTERNATIONAL can sub-contract the obligations that are subject to this PERSONAL DATA PROCESSING AGREEMENT, in order to perform the process of personal data under this PERSONAL DATA PROCESSING AGREEMENT (“SUB-PROCESSOR”). PAGSEGURO INTERNATIONAL shall inform the MERCHANT of any intended changes concerning the addition or replacement of other processors.
The SUB-PROCESSOR, who will also have the status of PROCESSOR, will be obliged to fulfill the obligations established in this PERSONAL DATA PROCESSING AGREEMENT and with the instructions dictated by PAGSEGURO INTERNATIONAL.
The SUB-PROCESSOR will be subject to the same conditions (instructions, obligations, security measures, etc.) than PAGSEGURO INTERNATIONAL and with the same formal requirements, regarding the appropriate treatment of personal data and the guaranty of the rights of the people affected.
In the case of non-compliance on the part of the SUB-PROCESSOR, PAGSEGURO INTERNATIONAL, will be responsible before the MERCHANT, in relation to the fulfillment of the obligations.
Whenever PAGSEGURO INTERNATIONAL uses a SUB-PROCESSOR, the privacy policy of the SUB-PROCESSOR may apply to the MERCHANT and/or the MERCHANT’s customers.
EIGHTH. - CONFIDENTIALITY
Any information marked as confidential that is communicated between the parties in connection with the subject of this PERSONAL DATA PROCESSING AGREEMENT, may only be used by parties for the purpose of this PERSONAL DATA PROCESSING AGREEMENT and the Service Agreement. Neither party (“Receiving Party”) shall disclose to any third party, neither directly nor through a third party, without the prior written consent of the other (“Disclosing Party”), any information received from the Disclosing Party in connection with this Agreement.
The Parties shall apply all technical and organizational measures necessary to maintain the duty of confidentiality of information set forth in this PERSONAL DATA PROCESSING AGREEMENT and in the Service Agreement.
NINETH. - GOVERNING LAW AND JURISDICTION
This PERSONAL DATA PROCESSING AGREEMENT and its performance shall be governed by the law and courts foreseen on the Service Agreement.
In witness of the agreed herein, the MERCHANT gives its consent either by accepting this agreement online or by signing it.