This Personal Data Processing Agreement (the “Agreement”) is an integral part of the Payment Service Agreement between the Service Provider and the Service Recipient, as identified in the special conditions of the Payment Service Agreement.
1. PREAMBLE
1.1. The parties have entered into Payment Service Agreement (the "Main Agreement"), under which, in performance of its contractual obligations, it shall exchange information which, in certain cases provided for in the Main Agreement, includes the Personal Data of the Data Subjects. The Parties confirm that, in the event that one Party discloses to the other Party Personal Data of the Data Subject, each Party shall be responsible for ensuring that the Personal Data of the Data Subject are processed in accordance with all applicable laws of the Party, as the Controller, including but not limited to The Personal Data Protection Law of the Republic of Lithuania, the General Data Protection Regulation (“GDPR”).
1.2. The Parties confirm that the Personal Data will be used only for the purpose for which they were transmitted, unless the Party has another legitimate purpose for further processing of the Personal Data and complies with the legislation of the Republic of Lithuania and the provisions of GDPR.
1.3. Taking into account that the Service Provider may/ will use Data Processors in fulfilling the obligations of the Main Agreement, the Parties agree that Personal Data may be transferred only to those Data Processors, which are specified in Annex No. 1 or about which the Service Recipient is informed in writing and which expressly consents to the transfer of Personal Data to the specified Data Processors.
1.4. The Parties confirm that the Service Recipient and the Service Provider are two separate and independent Controllers of the Data Subjects.
1.5. The Parties, on a voluntary basis, shall enter into a Personal Data Processing Agreement (hereinafter referred to as the "Agreement"), which sets out the rights and obligations of both Parties with regard to the protection and processing of Personal Data.
1.6. This Agreement shall form an integral part of the Main Agreement.
2. DEFINITIONS
2.1. Personal data - means any information relating to an identified or identifiable natural person.
2.2. Personal data security violation - a situation where accidental or unlawful destruction, loss, alteration, unauthorized disclosure, transfer or storage of Personal Data or unauthorized access to them occurs.
2.3. Data Recipient - a Data Controller, who receives Personal Data from another Data Controller.
2.4. Data Subject - a natural person whose Personal data is processed in accordance with the Main Agreement and this Agreement.
2.5. Processing - means any operation or sequence of operations carried out by automated or non-automated means on Personal Data or a collection of Personal Data, such as collection, recording, sorting, systematizing, storing, adapting or modifying, searching, using, disclosing, transmitting, distributing or otherwise enabling including access to, restriction of, access to, deletion of, or destruction of, other data.
2.6. Data Controller - a legal entity that determines the purposes and means of processing of Personal Data.
2.7. Data Processor - a natural or legal person who processes personal data on behalf of the Data Controller and in accordance with the instructions of the Data Controller.
2.8. Services - all services provided by the Service Provider to the Service Recipient under the Main Agreement.
2.9. Other terms used in this Agreement shall be understood as defined in the GDPR and other legal acts of the European Union.
3. SUBJECT MATTER OF THE AGREEMENT
3.1. By this Agreement, the Parties agree to provide the Personal Data referred to in Annex No. 1, for the purposes of implementing the Main Agreement, as well as for any other legitimate purpose for the further processing of Personal Data and in compliance with the applicable legislation.
4. OBLIGATIONS OF THE PARTIES
4.1. Each Controller warrants and represents that:
4.1.1. Personal data is collected and processed in accordance with the provisions of the GDPR;
4.1.2. Upon request, provide Data Subjects with information on the processing of Personal Data, including their transfer;
4.1.3. apply appropriate technical and organizational measures to ensure the security of Personal Data and the protection of the rights of Data Subjects;
4.1.4. will process Personal Data in Attachment no. 1, and for no longer than is necessary for the purpose of processing the Personal Data;
4.1.5. duly inform the Data Subjects of the transfer of the Personal Data by the Data Controller to another Data Controller;
4.1.6. ensure that its staff, service providers and data processors handling Personal Data are made aware of their obligation to protect Personal Data;
4.1.7. immediately inform the other Party in writing of a potential violation of Personal Data security.
5. LIABILITY OF THE PARTIES
5.1. Each Party shall perform its obligations under this Agreement at its own expense and shall be responsible for the improper performance and / or non-performance of these obligations.
5.2. Each Party shall be liable to the other Party for direct damage caused by any violation of this Agreement due to its fault, as stipulated in the Main Agreement. Each Party shall be directly liable to the Data Subjects for any damage caused by any violation of the Data Subjects' rights.
5.3. In the event of a dispute with the Data Subject or the Lithuanian Data Protection Inspectorate, or any one or both of the Parties regarding the processing of Personal Data, the Parties will notify each other of any disputes or claims and cooperate to resolve them peacefully and timely.
6. TERMINATION
6.1. If one of the Data Controllers improperly performs or violates its obligations under this Agreement or the applicable legislation, the other Data Controller may suspend the provision of Personal Data to the other Party until such breach is rectified or the Agreement is terminated. If the specific breach is not remedied within a reasonable time, the first Party shall have the right to terminate the Agreement unilaterally in accordance with clause 6.3 of this Agreement.
6.2. Each data controller is responsible for the confidentiality and security of personal data from the moment of receipt. In cases where a threat is identified or reasonable suspicions arise about a threat to the confidentiality of personal data, and/or if the Party receiving personal data does not ensure the proper protection of the provided personal data, the Party providing personal data informs the Party receiving personal data about it and has the right to temporarily suspend the provision of personal data. Each data controller assumes full responsibility for its data processors and their subprocessors.
6.3. In the event of a material or persistent breach by the receiving Party of its obligations under this Agreement or the bankruptcy or liquidation of the receiving Party. The providing Party shall have the right to terminate this Agreement, without prejudice to any other rights it may have against the receiving Party.
6.4. If this Agreement is terminated, each Party may process or destroy the Personal Data it receives (unless it has the right to further process) in accordance with the applicable legislation and in accordance with its obligations as a Data Controller. If there is another purpose for processing Personal Data, a Party may continue to process Personal Data for this purpose in accordance with the laws of the European Union and the Republic of Lithuania.
7. FINAL PROVISIONS
7.1. This Agreement shall be governed by and construed in accordance with the laws of the Republic of Lithuania.
7.2. Neither Party may assign its rights and obligations under this Agreement to any third party without the consent of the other Party. This requirement shall not apply to the use of Data Processors.
7.3. This Agreement forms an integral part of the Main Agreement. By signing the special conditions of the Main Agreement, the Service Recipient confirms it has read, understood and agreed to this Agreement.
ANNEX NO. 1 "DATA PROVISION INFORMATION" TO THE PERSONAL DATA PROCESSING AGREEMENT
The Parties hereby sign this Annex No. 1 (hereinafter referred to as "the Annex") to clarify the provision of data as specified in the Personal Data Processing Agreement (the "Agreement") The terms used in the Annex correspond to the definitions used in the Main Agreement and in the Agreement.
1. PURPOSE OF DATA PROVISION
1.1. The data may be processed for the purposes of performing the Main Agreement signed by the Parties, for the fulfillment of the statutory duties related to the performance of the services specified therein, as well as for the legitimate interests of the Service Provider for the collection of debts.
2. LEGAL BASIS FOR DATA SUBMISSION AND RECEIPT
2.1. Data shall be processed in accordance with the laws of the Republic of Lithuania, the Main Agreement and the General Data Protection Regulation (Article 6 (1) (b), (c), (f)).
3. CATEGORIES OF DATA SUBJECTS
3.1. The categories of Data Subjects are the clients of the Service Recipient (Payers) and employees of the Parties and / or Data Processors and/ or representatives of the Data Processors.
4. DATA CATEGORIES
4.1. For the purposes of performance of the Main Agreement, (payment services, debt collection), the Parties shall provide each other in a secure manner with:
4.1.1. The Service Recipient may provide the Service Provider with the following data for the purpose of providing payment services:
4.1.1.1. Unique payment transaction identification number provided by the Service Recipient;
4.1.1.2. Amount payable by the Payer;
4.1.1.3. Payer's payment currency;
4.1.1.4. Recipient of the payment made by the Payer;
4.1.1.5. IBAN account number of the payee of the payment made by the Payer;
4.1.1.6. Purpose of the payment made by the Payer;
4.1.1.7. BIC of the payment institution chosen by the Payer/ Payment institution chosen by the Payer;
4.1.1.8. Payer's personal code;
4.1.1.9. Payer‘s email address.
4.1.1.10. The first 6 (six) and the last 4 (four) digits of the card number (only for PCOV service)
4.1.1.11. Other data related to a specific Payer's payment transaction.
4.1.2. The Service Provider may provide the Service Recipient with the following data for the purpose of providing payment services:
4.1.2.1. Payer's name, surname;
4.1.2.2. Payer's payment status, date and time;
4.1.2.3. Unique payment transaction identification number provided by the Service Recipient;
4.1.2.4. Amount payable by the Payer;
4.1.2.5. Payer's payment currency;
4.1.2.6. Recipient of the payment made by the Payer;
4.1.2.7. IBAN account number of the payee of the payment made by the Payer;
4.1.2.8. Purpose of the payment made by the Payer;
4.1.2.9. BIC of the payment institution chosen by the Payer/ Payment institution chosen by the Payer;
4.1.2.10. Other data related to the Payer / Payer's payment. 4.2. In order to identify a person entitled to represent a Party, perform written agreements concluded by the Parties on its behalf, perform other functions related to the performance of the Framework Agreement, exercise the rights provided for in the Main Agreement, the Parties shall provide each other with the following Data:
4.2.1. Position, name, surname of the employees of the Parties and / or Data Processors and/ or representatives of the Data Processors;
4.2.2. Telephone number, e-mail of the representatives of the Parties' employees and / or Data Processors and/ or representatives of the Data Processors.
4.2.3. The Parties expressly agree that they have duly informed their employees, the representatives of the Data Controllers about the transfer of their personal data to the other Party for the purposes of the performance of the Main Agreement.
5. DATA RETENTION PERIOD
5.1. Each Party, acting as an independent Data Controller, shall retain personal data only for as long as it is necessary to fulfill their respective purposes under the Main Agreement and in compliance with applicable laws.
5.2. Upon the termination or expiration of the Main Agreement, each Party shall delete or anonymize the personal data under their control unless further retention is required by applicable laws or necessary to exercise or defend legal claims.
6. DATA REPORTING PROCEDURE
6.1. The Parties shall transmit the data automatically using secure software interfaces or by e-mail encrypting the correspondence sent.
7. LIST OF DATA PROCESSORS OF THE SERVICE PROVIDER
7.1. The Parties agree that Personal Data may be processed by the following Data Processors on behalf of the Service Provider:
7.1.1. The individual company “Hosty”,under the service agreement, provides administration and maintenance of the server used by the Service Provider;
7.1.2. Private Limited Liability Company “BankingLab”, provides HSM service under the service agreement;
7.1.3. Private Limited Liability Company “Klavakrapštis”, provides payment services programming and monitoring services under the service agreement.
7.2. The Parties agree that the Service Provider must inform the Service Recipient in writing in advance of any changes in the list of Data Processors.
