SumUp’s COVID-19 small business support guide

Login
Get started

Data Protection Agreement

This Data Protection Agreement (“DPA”) forms part of, and is subject to, the provisions of Additional Terms of Use for Gift Cards (the “Agreement”, the “Additional Terms”), Privacy Policy and any other applicable SumUp Terms and Conditions (herein the “Terms”, “Privacy Policy”) concluded and agreed by and between you as SumUp’s merchant (“you”) and SumUp Payments Limited, 32 - 34 Great Marlborough St, W1F 7JB, London, UK (“SumUp”, “we”), part of SumUp S.A.R.L. Group Companies – SumUp Group.

Both SumUp and you (“parties”) agree and ensure that the terms of this DPA shall also be fully applicable to its affiliates which may be involved in the processing of personal data for the Gift Cards Services defined in the Additional Terms.

In order to provide you with the Gift Cards Services under the Additional Terms, SumUp processes data of customers of Gift Cards Services (“Your Customers”, “Customers”). The processing of such data by SumUp is hereinafter referred to as “processing” (as such term is defined under the GDPR). The DPA sets forth the terms of such processing by SumUp.

1. Definitions. a. “Applicable Data Protection Legislation” means Regulation (EU) 2016/679 (the “GDPR”, “Regulation”) as well as all other applicable legislation in force regulating the processing of personal data, including as applicable e-Privacy Directive 2002/58/EC. b. The terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor”, “joint controllers” have the meanings given to these terms in the GDPR. c. “Your Customers’ Data” means the personal data of Your Customer(s) – gift buyers, gift recipients and any other individual whose data are processed in relation to our Gift Cards Services.

All definitions that are used in the present DPA but do not have an explicit definition in this section will have the meaning defined in the Additional Terms. If there is no specific definition in the Additional Terms or the Terms, their meaning will be the one given in the GDPR or in the other applicable rules if not defined in the Regulation.

2. Applicability, Scope and Roles.

2.1 This DPA regulates the processing of personal data only on the basis, for the purposes and within the term of validity of provision of SumUp’s Gift Cards Services or associated services under the Additional Terms.

2.2 This DPA is not applicable for personal data processed by each party in its capacity as independent personal data controller. You agree that SumUp is not responsible for personal data that you have chosen to process through third party services or outside of the Gift Cards Services, including the systems of any other third-party cloud services, offline or on-site storage.

2.3 To the extent Your Customers’ Data are processed by SumUp on your behalf and this processing is subject to the GDPR, you acknowledge and agree that for the purposes of provision of the Gift Cards Services by SumUp, you are data controller of such personal data, and by using SumUp’s Services, you have instructed SumUp to process Your Customers’ Data on your behalf, pursuant to this DPA. SumUp acts as a data processor on behalf of you, except where personal data of Your Customers is used for our own purposes such as, but not limited to, risk/fraud screening, compliance with law, protection of our interests, improvement of our services. You are the issuer of the gift card and we are providing you with the solution for gift cards issuing.

2.4 If we process personal data of Your Customers for jointly determined purposes and means, we might be considered joint controllers with you. Such joint controllership relationship might occur if we are relying on one and the same legal ground (such as consent) for joint marketing activities. However, if SumUp is processing the personal data for our own marketing purposes and you are processing it for your own marketing purposes we are independent controllers.

2.5 When sending links for purchase of gift cards to Your Customers, you are controller of their data and you are solely responsible for this processing according to the Applicable Data Protection Legislation.

2.6 You are solely responsible for compliance with any laws and regulations applicable to Your Customers’ Data while it is in your possession, custody, or control. For avoidance of any doubt, you are solely responsible for compliance with Applicable Data Protection Legislation, i.e. independent personal data controller for the processing of Your Customers’ Data before, after or outside of using our Gift Cards Services.

2.7 You can revoke the acceptance of this DPA at any stage, but by doing so SumUp will no longer be able to provide you with the Service. 3. Details of Data Processing. a. Subject Matter. The subject matter of the data processing under this DPA is the processing of personal data of Your Customers for the purposes of provision of SumUp’s Gift Cards Services.

b. Duration. As between you and us, the duration of the data processing under this DPA is determined by you and for the selected period for which you choose to use our Gift Cards Services.

c. Purpose. The purpose of the data processing under this DPA is the provision of the Gift Cards Services initiated by you.

d. Nature of the Processing. The Gift Cards Services as described in the Additional Terms and as initiated by you.

e. Type of Personal Data. Your Customers’ Data– gift card buyers and/or gift card recipients or other individuals whose personal data are processed as part of the Gift Cards Services in accordance with the Additional Terms and SumUp’s Terms. These data include, but are not limited to, Your Customers’ names, e-mail address, bank details. Special categories of personal data, data including that relating to criminal convictions and offences, are not deemed to be processed under the Gift Cards Services, and they are excluded from the terms of this DPA. If such data are processed while using our Services, this is without the knowledge of SumUp and you should delete such information immediately after you identify such processing.

f. Categories of Data Subjects. You, Your Customers – gift card buyers and gift card recipients and any other individuals whose personal data are processed for provision of the Gift Cards Services. 4. Rights and Obligations.

4.1 SumUp in its capacity of personal data processor acting on your behalf:

a. processes Your Customers’ Data only for the purposes specified in the DPA and in accordance with the applicable law and the DPA.

b. may only act and process Your Customers’ Data in accordance with your documented instruction, unless required by law, Court order or legislative measure, to act without such instruction. Your instruction, at the time of entering into this DPA, is that SumUp may only process Your Customers’ Data for the purpose of delivering the Gift Cards Services as described in the DPA and the Additional Terms. Subject to the terms of this DPA, and with mutual agreement of both parties, you may issue additional written instructions consistent with the terms of this DPA.

c. guarantees that the persons authorized to process personal data have assumed the confidentiality obligation or are legally required to maintain confidentiality obligations.

d. guarantees that the access to the personal data is granted on a need to know basis with respect to the performance of the Gift Cards Services under the Additional Terms.

e. is responsible for ensuring that employees/sub-contractors and/or any agents processing Your Customers’ Data only process the personal data in accordance with your instructions.

f. will inform you immediately in case we consider that some or any of your instructions contradict with Applicable Data Protection Legislation.

g. is obliged to protect Your Customers’ Data under this DPA from any destruction, alteration, loss and any other unauthorised processing. For this purpose, SumUp takes appropriate security measures in accordance with applicable law. Technical and organisational measures applied by SumUp are dependant on technical advancement. It is possible that SumUp may introduce some alternative adequate measures. It is not possible to decrease the level of the defined security measures when introducing such alternatives. SumUp will assist you with appropriate technical and organizational measures as required and, considering the nature of the treatment and the category of information available to SumUp, help to ensure compliance with your obligations under the Applicable Data Protection Legislation.

h. upon your reasonable request, makes available certifications demonstrating SumUp’s compliance with its obligations under this DPA and Applicable Data Protection Legislation; and/or makes available information necessary to demonstrate compliance with obligations under this DPA and Applicable Data Protection Legislation. The information to be made available by SumUp is limited to solely necessary information, taking into account the nature of the Gift Cards Services and the information available to SumUp, to assist you in complying with your obligations, especially with respect to Art.32 and 36, GDPR (obligations in respect of data protection impact assessments, prior consultation and ensuring security of personal data).

i. will assist you, within reasonable timeframes, by appropriate measures and, as reasonably possible (considering the nature of the processing), in complying with data subject rights and all other relevant obligations under data privacy regulations, including the GDPR.

j. will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an individual whose personal data are processed for the provision of Gift Cards Services or a binding demand from a government, law enforcement, regulatory or other body, in respect of Your Customers’ Data that we process on your behalf and instructions.

4.2 You in the capacity of personal data controller:

a. will collect, use and process personal data in accordance with any and all Applicable Data Protection Legislation.

b. have sole responsibility for the accuracy, quality, and lawful processing of Your Customers’ Data and the means by which it was obtained.

c. ensure the appropriate level of security when using the Gift Cards Services, taking into consideration any risks with respect to Your Customers’ Data.

d. acknowledge that any storage and/or transfer that you make of Your Customers’ Data to any third-party or platform, other than SumUp, shall be at your sole risk and responsibility.

e. ensure that your instructions with regards to personal data processing comply with all laws, regulations and rules applicable in relation to Your Customers’ Data. You will also ensure that the processing of Your Customers’ Data in accordance with your instructions will not cause or result in us or you being in breach of any laws, rules or regulations (including the GDPR).

4.3 You shall adopt and comply with your own "customer privacy policy." Your privacy policy will be available so that your customers have notice of your data collection and use practices and will otherwise comply with Applicable Data Protection Legislation. Your customer privacy policy will include descriptions so that your customers are aware of how their data are used by you and us.

4.4 For every listing, message or campaign sent or distributed via the Gift Cards Services, you agree that we may add a link relating to options to "Unsubscribe" for personal data regulatory reasons and/or a statement such as "Email Marketing by SumUp" or "Powered by SumUp" in the footer or other similar location that does not unreasonably obscure the message or campaign.

4.5 When acting as independent controller or joint controller each party is obliged to comply with the Applicable Data Protection Legislation for personal data protection as well as any specific legal act applicable for the regime of information processed during performance of its activities.

4.6 When acting as joint controllers both parties agree that data subjects whose personal data are processed for the Gift Cards Services may exercise their rights related to the personal data processing against each one of the parties unless otherwise agreed. When acting as joint controllers for joint marketing activities relying on one and the same legal ground for processing of the personal data – consent from the gift card buyer and/or gift card recipient, you agree that in case of withdrawal of this consent made by the data subject directly to you, you will inform SumUp immediately. If one of the parties receives a request or inquiry from a data subject regarding matters covered by another party's responsibility, the request is forwarded to such party without undue delay,

4.7 When acting as independent controller or joint controller each party guarantees that the necessary information under art.13 and 14 of GDPR is provided to the data subjects whose personal data are processed for the provision of Gift Cards Services. Each party assist the other party in complying with Applicable Data Protection Legislation for respecting data subject rights (if applicable) related to personal data processing and notification of personal data breaches.

4.8 When acting as joint controllers, in case of received complaint: a. each party is responsible for the handling of any complaints from data subjects, if the complaints relate to the infringement of provisions in the Regulation for which the party is responsible according to this DPA.

b. if one of the parties receives a complaint which should in full or part rightfully be handled by the other party, the complaint is forwarded without undue delay.

c. in connection with the forwarding of a complaint or part of a complaint to the other Party, the data subject must be notified about the essence of this agreement.

d. the parties inform each other about matters of the essence of the joint processing and this DPA. 5. Breach Notifications.

5.1 The party shall immediately inform the other party (but not later than 48 hours) after it becomes aware of a personal data breach in relation to personal data processed under this DPA. The party notifying of the breach is obliged to provide the other party with additional information on the personal data breach, to collect and store evidences for the personal data breach.

5.2 SumUp, in its capacity of personal data processor, will assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the breach as we are reasonably able to disclose to you, taking into account the nature of the Gift Cards Services, the information available to us and any restrictions on disclosing the information, such as for confidentiality. Despite the foregoing, SumUp’s obligations under this section do not apply to incidents that are caused by you, any activity on your account and/or third-party services. SumUp is obliged to cooperate and support you regarding the investigation, the minimization of the negative consequences and rectification of the personal data breach as well as the prevention of future similar data breaches.

5.3 SumUp’s notification of a personal data breach will not be deemed as an acknowledgement by SumUp of any fault or liability with respect to such incident. In the event of a personal data breach, you shall be obligated to take the measures required under applicable laws in connection with Your Customers’ Data.

5.4 In case of joint controllership between you and SumUp, based on the information provided and the specific case, the parties will decide which party shall lead the procedure for breach notification to the personal data authority (if applicable) within the defined Applicable Data Protection Legislation term.

6. Sub-Processors. Hereby you grant SumUp (when acting as personal data processor) general authorization to engage sub-processors in order to provide the Gift Cards Services without obtaining any further written or specific authorization. SumUp will execute an agreement with each sub-processor ensuring compliance by such sub-processor with terms ensuring at least the same level of protection and security as those set out in this DPA. If you object to any sub-processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Customers’ Data by the objected-to sub-processor. If we are unable to make available such suggested changes within a reasonable period of time, we will notify you and if you still object to our use of such sub-processor, you may cancel or terminate your account or, if possible, the portions of the Gift Cards Services that involve use of such sub-processor. 7. Transfer of Personal Data. The Processing of Your Customers’ Data by SumUp shall take place within the territory of the European Economic Area (“EEA”). Any transfer to and processing in a third country outside the EU/EEA that does not ensure an adequate level of protection according to the European Commission, shall be undertaken in accordance with the Standard Contractual Clauses (2010/87/EU) or other appropriate mechanism guarantying an adequate level of personal data security according to the requirements of Chapter V of the GDPR. 8. Audits. You are entitled to initiate a review of SumUp’s obligations under this DPA only for the processing activities for which SumUp is acting on your behalf – as your personal data processor. The audits may be initiated once per year. If SumUp is required to do so under applicable legislation, audits may be repeated once a year. Both parties decide together if a third party should conduct the audit. However, you may allow us to have the security review carried out by a neutral third party of our choice, if it is a processing environment where multiple data controller’s data is processed. If the proposed scope of the audit follows an ISO or similar certification report conducted by a qualified third-party auditor within the previous twelve months, and SumUp confirms that there have been no material changes in the measures under review, this will satisfy any requests received within such timeframe. Audits may not unreasonably interfere with SumUp's business as usual activities. You are responsible for all costs associated with additional request for audit review. 9. Liability. The lliability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Additional Terms and/or Terms. You agree that any regulatory penalties or claims by data subjects, or others, incurred by SumUp in relation to Your Customers’ Data that arise as a result of, or in connection with, your failure to comply with your obligations under this DPA or the Applicable Data Protection Law, shall reduce SumUp’s maximum aggregate liability to you under the Additional Terms and/or the Terms to the same amount as the fine and/or liability incurred by us as a result. 10. Termination. 10.1 This DPA shall be in effect for as long you use any of SumUp’s Gift Cards Services. However if SumUp is obligated, according to the terms of this DPA or any of SumUp’s Terms and Conditions or applicable legislation, to keep personal data processed according to this DPA and/or SumUp’s Terms following the termination of the Gift Cards Services, this DPA shall continue to be in effect for as long as SumUp is required to hold such personal data.

10.2 Upon termination of the use of the Gift Cards Services, and unless SumUp is required to retain Your Customers’ Data under SumUp’s Additional Terms and/or Terms, any agreement or applicable laws, SumUp shall, including upon written request by you, delete the personal data as soon as reasonably practicable and according to SumUp’s Terms and applicable laws. 11. Miscellaneous.

11.1 In the event of contradiction between this DPA and any of SumUp’s Additional Terms and/or Terms, the provisions of this DPA shall govern.

11.2 You are responsible for any costs and expenses arising from SumUp’s compliance with your instructions or requests pursuant to the Additional Terms (including this DPA) which fall outside the standard functionality made available by SumUp generally through the Gift Cards Services.

11.3 SumUp shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time. Changes to the Agreement might be made by SumUp in a separate Annex or in another visible means and will be communicated appropriately.

11.4 Any questions regarding this DPA or other personal data processing related requests should be addressed to us at dpo@sumup.com. SumUp will attempt to resolve any complaints regarding the processing of personal data in accordance with this DPA, the Terms and SumUp internal policies.

11.5 If any of the provisions of the DPA are deemed invalid, this does not affect the remaining provisions. The parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.

11.6 This Agreement is construed in accordance with English law and is governed by the Courts of England and Wales.