Data Processing Agreement (“DPA”)
DEFINITIONS:
Agreement: | means the agreement entered into between the Controller and Protect Financial; |
AoC: | means Attestation of Compliance under PCI DSS; |
Cardholder data: | has the meaning given in the PCI DSS; |
Contractual Clauses: | means those clauses set out in the annex to European Commission’s decision C(2010)593 for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection; |
Controller: | means Member or Facilitator is a Data Controller; |
Controller’s Data: | means Personal Data disclosed, transferred, shared, sent, or otherwise made available or accessible by Protect by Controller or to a third party for the purposes of this DPA including Card Holder Data; |
Data Protection Laws: | means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements that apply to either of the Parties or any consumer or potential consumer related in any way to the privacy, confidentiality or security of Personal Data; |
Data Subject: | means the identified or identifiable natural person to whom Personal Data relates; |
Facilitator: | means the company which has signed a Facilitator’s Agreement with Protect Financial; |
GDPR: | means the General Data Protection Regulation of the European Union; |
Information Security Incident: | means any threat or hazard to the security, confidentiality, integrity, availability or audit ability of Personal Data, including any actual or potential unauthorised access to, or unauthorised acquisition of, Personal Data; |
ISO: | means International Organization for Standardization; |
Member: | means the company which has signed a Membership Agreement with Protect Financial; |
Parties: | means the Processor and the Controller; |
Personal Data: | has the meaning set out in the relevant Privacy Laws and include any information which identifies or could be reasonably used to identify an identifiable natural person (Data Subject), including names, addresses, email addresses, telephone numbers, social insurance/security numbers, government identification numbers, Cardholder Data or any other personally identifiable information, including copies of such information, and materials derived from such information, and any other information associated with all linked to such information; |
PCI DSS: | means the Payment Card Information Data Security Standard; |
Privacy and Information Security Requirements: | means a) Data Protection Laws B) PCI DSS and c) all applicable provisions of the Parties written information security requirements, policies, or procedures applicable to this DPA; |
Processing or to Process: | means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrievable, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
Processor: | means Protect Financial; |
Protect: | means Protect Financial International and its affiliates and subsidiaries; |
SAQD-SP: | means Self-Assessment Questionnaire D- Service Provider under PCI DSS; |
Services: | means the services performed by Protect Financial to the Controller under its Membership or Facilitator’s agreement; |
Sub-processor: | means any person engaged by Protect Financial to Process Personal Data on behalf of the Controller; |
Supervision Authority: | means anybody under the Data Protection Laws that has the authority to impose legal sanctions. |
WHEREAS:
- The Member or Facilitator acts as a Controller.
- The Controller wishes to subcontract certain Services to Protect Financial which includes the Processing of Personal Data.
- The Parties seek to implement this DPA to comply with the Data Protection Laws.
- The Parties wish to lay down their rights and obligations.
- This DPA is in addition to the Agreement.
- Privacy and Information Security Requirements
Protect Financial agrees:
- to comply with the Data Protection Laws.
- to engage Sub-processors in accordance with clause 8.
- to develop, implement and maintain such organisation and technical security measures as are sufficient to meet its obligations under this DPA, whilst taking into account the nature of the processing.
- to act only on the Controller’s documented instructions.
- EU Standard Contractual Clauses & PCI DSS
- Protect Financial shall not transfer any Personal Data to Processors or Sub-processors established in third countries which do not ensure an adequate level of Data Protection Laws and in consequence this DPA does not need to incorporate the EU’s Contractual Clauses.
- Neither Protect Financial nor any Sub-processor handles card data and therefore PCI DSS compliance does not arise.
- Order of Precedence
- This DPA is incorporated into and forms part of the Agreement. For matters not addressed in the DPA, the Agreement applies. In the event of conflict between the DPA and the Agreement, the DPA applies.
- Employees, Agents or Contractors
- Protect Financial shall take reasonable steps to ensure the reliability of employees, agents or contractors who may have access to Personal Data, and to provide them if necessary with appropriate training on their responsibilities. Access to Personal Data shall be restricted to those requiring it to fulfil Protect Financial’s obligations.
- Protect Financial shall ensure its employees, agents or contractors are subject to all Privacy and Information Security Requirements including informing them of the confidential nature of Personal Data.
- Security
- Protect Financial implemented and shall continue to improve and implement appropriate technical and organisational measures to safeguard Personal Data, including protection against unauthorised or unlawful Processing and against unlawful or accidental destruction, alteration or damage or loss, unauthorised disclosure of, or access to, Personal Data, in accordance with the Data Protection Laws.
- Protect Financial shall delete Personal Data when requested to do so by Controller except that required for ongoing insurance purposes which shall be deleted as soon as it is no longer required.
- Duration
- The duration (term) of this DPA is the same as the Agreement with the exception of any DPA provisions intended to survive termination. Any right to terminate the DPA separately before the termination of the Agreement shall be excluded to the extent permitted by applicable law.
- On termination of the Agreement, Protect Financial shall delete all Personal Data except that required for on-going insurance purposes which shall be deleted as soon as it is no longer required.
- Processing of Controller’s Personal Data
- Personal Data submitted by the Controller is the consumer’s name. Where the consumer makes a reinbursement, they do so direct to Protect Financial, and Personal Data received might include the consumer’s identification, contact information, bank or credit card data, and medical records including those of an immediate family member.
- Protect Financial, and any Sub-Processor, shall not use or disclose Personal Data for any purpose other than the Admissible Purpose.
- Protect Financial shall provide assistance to the Controller in dealing with a Data Subject’s complaint or a Supervision Authority’s investigation, or a Data Protection Impact Assessment.
- Sub-Processors
- Protect Financial may use one or more of the following Sub-processors and their affiliates:
Microsoft Corporation: our platform is hosted by Azure.
HCC International Insurance Co PLC: insure our liability to make reimbursements.
Allianz Global Corporate and Specialty SE: insures our liability to make reimbursements
- Protect Financial shall not use any other Sub-processor without the Controller’s written consent, such consent not to be unreasonably withheld.
- Data Subject Rights
- Taking into account the nature of Processing, Protect Financial shall assist the Controller to fulfil its obligations to respond to a Data Subjects requests exercising their individual rights.
- Protect Financial shall promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data.
- Protect Financial shall not respond to such requests except on the documented instructions of the Controller or as required by any Data Protection Law, in which case Protect Financial shall, to the extent permitted by law, inform Controller of that legal requirement before responding to the request.
- Audit
- The Controller has the right to audit ProtectFinancial’s data security policies, practices and procedures and its compliance with this section on reasonable notice.
- Information Security Incident
- Protect Financial shall inform Controller promptly in writing of any Information Security Incident involving Personal Data of which it becomes aware, to include reasonable detail about the effect and/or anticipated effect on the Controller, and the corrective action being taken by Protect Financial.
- In the event of an Information Security Incident involving Controller’s Personal Data Processed by Protect Financial, Protect Financial shall promptly take all necessary corrective actions, at its cost and expense, and cooperate with Controller in all reasonable and lawful efforts to mitigate the effects of such Information Security Incident and Protect Financial shall reimburse reasonable costs incurred by Controller in relation to such Information Security Incident.
- Indemnities
- Protect Financial shall indemnify Controller and its representatives and hold Controller harmless from and against any reasonable costs resulting from Protect Financial’s non-compliance with Privacy Laws which are a direct consequence of the actions or omissions of Protect Financial.
- Controller shall indemnify Protect Financial and its representatives and hold Protect Financial harmless from and against any reasonable costs resulting from Controller’s non-compliance with Privacy Laws which are a direct consequence of the actions or omissions of Controller.
- Change Requests
- Any request made by the Controller to change Protect Financials’ security of Personal Data or Processing due to changes in the Privacy Laws or industry standards, shall be made in writing and require written acceptance by Protect Financial.
- Notices & Governing Law
- Same as per the Agreement.