Legal

THIS DATA PROCESSING ADDENDUM("DPA"),including its Annexes, forms an integral part of the Agreement between Merchant and Credorax (each a "Party" and collectively the "Parties") which relates to the Services (as defined below) that Credorax shall provide Merchant under the Agreement and defines the data processing relationship between the Parties. This Addendum (as defined below) sets out the additional terms, requirements, and conditions on which Credorax will process Personal Data (as defined below) for and on behalf of Merchant when providing Services under the Agreement and shall supersede any other data processing addendums or documents previously signed, unless specifically agreed otherwise between the Parties. This Addendum contains the mandatory clauses required by Article 28(3) of the GDPR for contracts between Controllers and Processors (as defined below).

Definitions

The following capitalised terms shall bear the meaning ascribed thereto. Definitions of capitalised terms that are not defined in this Addendum can be found in other parts of the Agreement, such as main body of the Agreement or the OTC (Online Terms and Conditions).

"ADC" means Account Data Compromise, an occurrence that results, directly or indirectly, in the unauthorised access to or disclosure of account data, or the unauthorised manipulation of account data controls, such as account usage and spending limits, as defined by the Card Schemes.

"Addendum" means this addendum in its entirety, including any privacy related schedules and annexes as may added to the Agreement from time to time.

"Adequacy Decision" means the decision made by the European Commission or the UK Information Commissioner's Office that a third country, territory, specific sector in a third country or an international organisation offers levels of data protection that are essentially equivalent to that within the European Union or the United Kingdom. An adequacy decision permits a cross-border data transfer outside the European Union or the United Kingdom, or onward transfer from or to a party outside the European Union or the United Kingdom without further authorisation.

"Agreement" means the Acquiring (Merchant) and/or Local Payment Methods Agreement as may be relevant

"Controller" means the entity which determines the purposes and means of the processing of Personal Data.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Data Protection Laws" means (i) the GDPR; (ii) Maltese Data Protection Laws; (iii) United Kingdom Data Protection Laws; (iv) other legislation and regulatory requirements in force from time to time which apply to each of the Parties respectively relating to the use of Personal Data (including without limitation, the privacy of electronic communications and other data protection or privacy legislation such as the Swiss Federal Act on Data Protection of June 19, 1992); and (v) the guidance and codes of practice issued by the relevant data protection or Supervisory Authority and applicable to either Party, in each case as may be amended, supplemented, or replaced from time to time.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"EEA" means the European Economic Area, which for the purpose of this DPA shall also include the United Kingdom.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of Personal Data and on the free movement of such data as in force as amended, replaced, or superseded from time to time, including any laws implementing or supplementing the GDPR, including as implemented under the laws of the United Kingdom.

"Maltese Data Protection Laws" means all applicable data protection and privacy legislation in force from time to time in Malta, including (i) the Data Protection Act, Chapter 586 of the Laws of Malta; (ii) the GDPR; (iii) all national implementing laws, regulations and secondary legislation applicable in Malta which relate to the processing of Personal Data, in each case as may be amended, supplemented or replaced from time to time.

"Merchant Data" means Transaction Data or Personal Data provided to Credorax by Merchant or on its behalf or to which Credorax obtains access solely as a result of, or in connection with, the provision of the Services.

"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Potential ADC" means an occurrence that could result, directly or indirectly, in the unauthorised access to or disclosure of account data, or the unauthorised manipulation of account data controls, such as account usage and spending limits.

"Principal Contact" means a designated person or department from Merchant's organisation, as provided by Merchant in the Merchant application form.

"Processor" means a natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of Merchant.

"Restricted Transfer" means the international transfer of Personal Data outside the EEA, to a third country or international organisation which does not have an Adequacy Decision.

"Services" means the services as defined in the respective Agreement including but not limited to the processing of payment data for the settlement of funds.

"Standard Contractual Clauses" means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries, as set out in the Annex to Commission Decision 2010/87/EU, and as may be amended or replaced by the European Commission from time to time, and its application, where relevant, in accordance with the International Data Transfer Addendum to the Standard Contractual Clauses, as issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018 (the "UK Addendum").

"Sub-Processor" means a third party contracted by the Processor to process Personal Data for the purpose of carrying out a specific processing activity on behalf of the Controller in connection with the Services.

"Supervisory Authority" means the relevant supervisory authority with jurisdiction over the Data Protection Laws.

"Transaction Data"means any information related to a card or a payment instrument for effectuating purchases or other financial transactions. This may include card number assigned to the card by the issuing bank, cardholder/buyer name, expiration date or the card, CVV code, the name and location of the Merchant where the transaction occurred.

"United Kingdom Data Protection Law" means all applicable data protection on privacy legislation in force from time to time in the United Kingdom, including the Data Protection Act 2018, and all laws, regulations, and secondary legislation applicable in the United Kingdom which relate to the processing of Personal Data, in each case as may be amended, supplemented or replaced from time to time, including the UK Addendum.

General

1. Both Parties warrant that they will comply with their respective obligations under Data Protection Laws and the terms of this Addendum. As agreed between the Parties with regard to Merchant Data, for the purposes of all Data Protection Laws, Merchant shall act as Controller and Credorax shall act as Processor, except to the extent that Credorax is required to process Merchant Data for compliance with its own legal or regulatory requirements
2. Subject to the provisions of the Agreement and any instruction that may be given from time to time in writing by Merchant, Credorax is hereby appointed by Merchant to process Merchant Data on behalf of Merchant for the purpose of performing and fulfilling the Services which consist of the provision of acquiring services, including, but not limited to, the processing and settlement of payment card Transactions according to regulatory and Card Scheme standards and requirements.
3. The Parties therefore acknowledge and agree that Merchant retains control of Merchant Data at all times. As the Controller, Merchant remains solely responsible for ensuring and maintaining compliance with any and all obligations which may be imposed upon Controllers of Personal Data under Data Protection Laws. This includes providing any required notices and mandatory information, obtaining any required consents from Data Subjects, and for any other instructions which it may give Credorax from time to time.

Merchant Obligations

1. Merchant warrants and represents to Credorax that:

   3.1.1	it shall be exclusively responsible for ensuring that it complies at all times with any and all obligations which it may have as the Controller of the relevant data under this Addendum and under the Data Protection Laws;
   3.1.2	all Merchant Data is obtained in accordance with the Data Protection Laws and in particular, that where it has relied on consent as a means of processing Personal Data, it has obtained valid consent of the Data Subjects as required in terms of Data Protection Laws;
   3.1.3	all instructions given to Credorax in terms of this Addendum and the Agreement shall at all times be in accordance with Data Protection Laws, and that the compliance, performance, or execution of any and all such instructions shall not, at any point in time, cause Credorax to be in breach of any Data Protection Laws;
   3.1.4	it has provided the Data Subjects with all necessary information about the processing of the Personal Data in the context of the Agreement as required by Data Protection Laws, including, without limitation, information relating to the appointment of Processors transferring to, and processing Personal Data by, third parties which may use or retain the Personal Data for compliance with legal and regulatory requirements;
   3.1.5	it shall maintain all necessary policies and processes to authorise the access and processing of the relevant data in the full manner contemplated by this Addendum and the Agreement;
   3.1.6	in case of a Data Breach affecting Merchant Data, Merchant shall notify Credorax immediately of becoming aware of such Breach, including the details of the Data Breach and the affected records; and
   3.1.7	in case of an ADC event or a Potential ADC event is or may affect any system or environment of Merchant or Credorax, Merchant shall notify Credorax immediately of becoming aware of such event, including the details and the affected system or environment. Merchant understands and that the Card Schemes require to be informed of any Data Breach and it agrees that Credorax will report any such Data Breaches to the Card Schemes. Merchant shall also provide Credorax with the information which may be requested by Credorax, in accordance with the Card Schemes requirements.

2. Merchant hereby grants its express consent to Credorax communicating Transaction Data to a Sub-Processor (in accordance with the requirements of this Addendum), payment scheme, an issuing bank or other participating bank, or a regulator, provided it does so in accordance with applicable law and/or as required for the performance of the Agreement.
3. Merchant acknowledges that as Controller it is Merchants responsibility to provide document instruction, which for the purpose of this DPA shall be the Agreement, upon which Credorax shall rely on in order to process Merchant Data for the purposes of carrying out the Services as set out in the Agreement.
4. Merchant shall pay Credorax any internal costs and/or third party expenditure suffered or incurred by Credorax or any of its affiliates in providing any assistance, information and cooperation pursuant to Credorax's obligations as defined below.

Credorax Obligations

1. Credorax shall only carry out processing of Merchant Data in accordance with the written instructions provided by Merchant, which has been given by way of the executed Agreement, and shall only process such Merchant Data for the performance of the Services, including Restricted Transfers (unless Credorax is otherwise required to process Merchant Data by relevant law or any regulatory bodies to which Credorax is subject, in which case Credorax shall inform the Controller of that legal requirement unless prohibited by that law on grounds of public interest), and shall immediately inform Merchant if, in the opinion of Credorax, any instruction given by Merchant to Credorax infringes Data Protection Laws.
2. Credorax shall comply with its obligations as Processor under the relevant Data Protection Laws.
3. Credorax shall reasonably cooperate with Merchant at Merchant's cost, with fulfilling Merchant's obligations as Controller in respect of Data Subject rights under the Data Protection Laws.
4. Credorax shall take all technical and security measures required to protect Merchant Data in accordance with Article 32 of the GDPR.
5. Where relevant for the processing of Merchant Data provided by Merchant and taking into account the nature of the processing and the information available to Credorax, upon written request Credorax shall use all reasonable measures to assist Merchant in ensuring compliance with the obligations of Merchant to; (i) keep Merchant Data secure at all times; (ii) implement and maintain appropriate technical and organisational measures to protect against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Merchant Data and against accidental or unlawful loss, destruction alteration, disclosure or damage to the Merchant Data, including but not limited to, the security measures as set out in the Agreement.
6. In case of a Data Breach, Credorax shall, as soon as reasonably possible after becoming aware, inform Merchant of any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access or any other form of unauthorised processing, or of any disruptions endangering the security of the Data Subject's Personal Data, or Merchant Data transmitted, stored or otherwise processed. Credorax accepts and acknowledges that Merchant may take steps and measures to remedy a breach by Credorax under Data Protection Laws, including but not limited to any communications with a Supervisory Authority, unless otherwise required by law.
7. On expiry or termination of the Agreement, Credorax shall cease to use Merchant Data and shall arrange for its safe return or destruction as shall be required by Merchant (unless relevant law requires storage of any Merchant Data, or an exemption under GDPR applies), however Credorax may retain a copy of such Merchant Data to the extent required or permitted under Applicable Law.
8. Upon written request, Credorax shall make available to Merchant all information necessary to demonstrate compliance with the obligations under Data Protection Laws and allow for and contribute to audits, including inspections, conducted by Merchant or another auditor mandated by Merchant.

Audit Rights

1. Unless Merchant has reasonable grounds to believe that Credorax has breached Data Protection Laws, upon Merchant's reasonable prior written request, and no more than once a year, Credorax agrees to provide Merchant with documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) to demonstrate Credorax's compliance with its data protection and security obligations under the terms of this Addendum. Credorax shall provide such information within sixty (60) days of receipt of such request and notify Merchant of the person within Credorax's organisation who will act as point of contact for the provision of the information required by Merchant. Any costs incurred with respect to an audit will be borne by Merchant, depending on the effort estimated by Credorax.
2. Where, in the reasonable opinion of Merchant, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR, Merchant will be entitled, upon providing thirty (30) days prior written notice to Credorax and upon reasonable grounds, to conduct an on-site audit of Credorax's premises used in connection with the Service, solely to confirm compliance with its data protection and security obligations under this Addendum. Any such audit will be limited in time and shall last no longer than three (3) business days, during business hours.
3. Any audit carried out by Merchant will be conducted in a manner that does not disrupt, delay, or interfere with Credorax's performance of its business. Merchant shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in the Agreement.
4. Any audit right granted to Credorax under the Agreement shall remain in full force and effect. In the event that there is no audit right in favour of Credorax or the audit right contained in the Agreement in favour of Credorax is not sufficient to enable it to verify and monitor Merchant's compliance with its data protection and security obligations under the terms of this Addendum, then, Credorax shall be entitled to carry out an audit of Merchant on reciprocal terms as those set out in this clause.

Use of Sub-Processors

1. Merchant hereby authorises and grants Credorax general written authorisation to appoint (and permit each Sub-Processor appointed in accordance with this provision to appoint) Sub-Processors in accordance with this provision and any restrictions contained in the Agreement.
2. Credorax shall notify Merchant of any changes concerning the addition or replacement of Sub-Processors and allow Merchant fifteen (15) days to object such changes. Should Merchant object Credorax's changes, it shall allow Credorax to address Merchant's concerns and mitigate them. Where Merchant's objection persists, it may terminate its Agreement with Credorax.
3. Credorax shall remain liable to Merchant in the event that the Sub-Processor fails to fulfil its data protection obligations and for all other actions and omissions of the Sub-Processor.
4. Credorax shall bind its Sub-Processors in terms of this clause by means of a written contract that contains processing clauses and obligations substantially the same as those set out and imposed in this Addendum.
5. A list of Credorax's current Sub-Processors can be found in Annex III. By entering into the Agreement, Merchant acknowledges and accepts the use of these Sub-Processors.

Credorax's Employees

Credorax shall ensure that its employees and other personnel who are given access to Merchant Data are adequately and responsibly informed of the confidential nature of the Personal Data and have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

International Transfers

1. In order to provide the Services, Credorax transfers Personal Data outside the EEA.
2. Merchant hereby agrees that Credorax may transfer Personal Data outside the EEA on the basis of an Adequacy Decision, or subject to appropriate safeguards, as allowed under the GDPR.
3. To the extent required and in relation to Restricted Transfers, Merchant hereby grants a general mandate for Credorax (acting as a data exporter) to enter into and sign Standard Contractual Clauses with any Sub-Processor (acting as a data importer) located in a jurisdiction without an Adequacy Decision. Merchant understands that without such Restricted Transfer, Credorax is unable to provide the Services.
4. As such, where Merchant Data originating in the EEA is transferred by the Processor to outside the EEA to a territory that has not been given an Adequacy Decision, the Controller and Processor agree that the transfer of such Merchant Data between the Processor and any Sub-Processor shall be subject to Module Three (Transfer processor to processor) of the Standard Contractual Clauses and where the transfer is subject to United Kingdom Data Protection Laws, the Standard Contractual Clauses shall be read in accordance with, and deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK Addendum.
5. The relevant provisions contained in the Standard Contractual Clauses and the UK Addendum are incorporated by reference and are an integral part of this Addendum.
6. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Annexes I, II, and III of this Addendum.

   I.	Annex I - Description of onward transfer under standard contractual clauses between Processor and Sub-Processor
   II.	Annex II - Technical and organisational measures including technical and organisational measures to ensure the security of the data
   III.	Annex III - List of Sub-Processors

7. For the purposes of Table 4 of Part One (Tables) of the UK Addendum, the Parties shall select the "neither party" option.

Security

1. For the avoidance of doubt, both Parties acknowledge that any provisions in relation to PCI-DSS used in connection with the Credorax Services under the Agreement shall remain unchanged and in full force and effect.
2. Both Parties warrant and agree that each shall carry out and implement any security measures (technical and organisational) which may be necessary or otherwise mandated under Data Protection Laws (specifically with respect to Article 32 of the GDPR) to safeguard the privacy and security of the Personal Data, and that these measures shall remain in place for the duration of the Agreement. This will include ensuring that there are sufficient technical and organisational measures to ensure data protection by default and by design.

Liability & Indemnity

Subject to the liability clauses in the Agreement, the Parties agree that they will be held liable for violations of Data Protection Laws towards Data Subjects as follows:

1. Merchant shall be liable for the damage caused by the processing of Merchant Data which infringes Data Protection Laws or this Addendum only where it has not complied with obligations of Data Protection Laws specifically directed to Controllers.
2. Merchant shall indemnify, defend, and hold Credorax harmless from and against any and all claims, actions, suits, demands, assessments, or judgments asserted, and any and all losses, liabilities, damages, costs, and expenses (including, without limitation, attorneys fees, accounting fees, and investigation costs to the extent permitted by law) alleged or incurred arising out of or relating to any operations, acts, or omissions of the indemnifying party or any of its employees, agents, and invitees in the exercise of the indemnifying party's rights or the performance or observance of the indemnifying party's obligations under this agreement. Prompt notice must be given of any claim, and the Controller providing the indemnification will have control of any defence or settlement.
3. Credorax shall be liable for the damage caused by the processing of Merchant Data which infringes Data Protection Laws or this Addendum only where it has not complied with obligations of Data Protection Laws specifically directed to Processors, or where it has acted in breach of its obligations under this Addendum. In that context, Credorax as Processor will be exempt from liability if it can prove that it is not in any way responsible for the event giving rise to the damage.

Applicable Law and Jurisdiction

This Addendum is subject to the conditions stipulated in the Agreement.

Notice

1. Any notice or other communication relating directly to this Addendum are to be given in writing to DPO@Credorax.com. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
2. Credorax shall provide notices relating to this Addendum, including breach notifications and other privacy related matters, to the Principal Contact. To the extent Merchant receives the Services via Provider, Credorax shall provide notices relating to this Addendum to Provider, as defined in the Agreement, and it is Provider's responsibility to notify Merchant accordingly. It is Merchant's or Provider's responsibility, as may be applicable, to update Credorax in case of any changes in the Principal Contact.