Data Processing Agreement
Effective as of 16/01/2023
Amended as of 16/01/2023
This Data Processing Agreement ("DPA") forms part of, and is subject to, the provisions of the specific SumUp Terms applicable for the Service(s) that you may use (the "Additional Terms") and any other applicable SumUp terms and conditions, including but not limited to, SumUp’s General Terms (herein collectively the "Terms") concluded and agreed by and between you as SumUp’s merchant ("you", "Data Controller") and SumUp’s contracting entity as indicated in the applicable Additional Terms ("SumUp", "we", "Data Processor"), part of SumUp S.A.R.L. Group Companies – SumUp Group.
To provide you with the Services under the Additional Terms, SumUp processes the data of your employees, customers and/or visitors and customers to your store, site and/or users of your services ("Your Customers", "Customers", “End Customers”). The processing of such data by SumUp is hereinafter referred to as "processing" (as the term is defined under the Applicable Data Protection Legislation). The following DPA sets forth the terms of such processing by SumUp.
Each party agrees and will ensure that the terms of this DPA shall also be fully applicable to its affiliates, which may be involved in the processing of personal data for the Services defined in the Additional Terms. Specifically, SumUp will ensure that all sub-processors operate within the same terms as this DPA when processing Your Customers Data.
1. Definitions
1.1. "Applicable Data Protection Legislation" means all laws relating to the processing of personal data under the Additional Terms, the Terms, and this DPA, including, without limitation, the Data Protection Act 2018, the EU General Data Protection Regulation 2016/679 (“GDPR”, “the Regulation”), the EU Privacy and Electronic Communications Directive 2002/58/EC, as implemented in each jurisdiction, and all amendments, or all other applicable or replacement international, regional or national data protection laws, regulations, and regulatory guidance.
1.2. The terms "controller", "data subject", "personal data", "processing", and "processor" have the meanings given to these terms in the Applicable Data Protection Legislation.
1.3. "Content" means your Content and any content provided to SumUp from Your Customers, including, without limitation text, photos, images, audio, video, code, information from cookies or similar tracking technologies and any other materials.
1.4. "Your Data", “Your Customers’ Data” means the personal data in the Content as processed by SumUp, on your behalf, as part of the Services and/or your employees, accountants and/or Customers’ Data as processed on your behalf for the performance of the Services. Your Customers’ Data does not include personal data if such data is controlled by SumUp according to this DPA and SumUp’s Privacy Policy.
1.5. All definitions that are used in the present DPA but do not have an explicit definition in this section will have their meaning defined in the Additional Terms. If there is no specific definition in the Additional Terms or the Terms, their meaning will be the one given in the Applicable Data Protection Legislation.
2. Applicability. This DPA only applies in respect of Your Customers’ Data as processed by SumUp on behalf of you for the purpose of providing the Services. You agree that SumUp is not responsible for personal data that you have chosen to process through third party services or outside of the Services, including the systems of any other third-party cloud services, offline, or on-site storage.
3. Data Processing Details. SumUp will process personal data in accordance with Appendix 1 hereto.
4. Rights and Obligations
4.1. To the extent Your Customers’ Data is processed by SumUp on your behalf and this processing is subject to the Applicable Data Protection Legislation, you acknowledge and agree that for the purposes of provision of the Services by SumUp, you are the Data Controller of such personal data, and by using SumUp’s Services, you have instructed SumUp to process Your Customers’ Data on your behalf, pursuant to this DPA.
4.2. You can revoke the acceptance of this DPA at any stage, but by doing so SumUp will no longer be able to provide you with the Service.
4.3. SumUp, in its capacity of personal data processor:
a. Processes Your Customers’ Data only for the purposes specified in the DPA and in accordance with the applicable law and the DPA;
b. May only act and process Your Customers’ Data in accordance with your documented instructions, unless required by law, Court order, or legislative measure, to act without such instruction. Your instructions, at the time of entering into this DPA, are that SumUp may only process Your Customers’ Data for the purpose of delivering the Services as described in the DPA and the Additional Terms. Subject to the terms of this DPA, and with mutual agreement of both parties, you may issue additional written instructions consistent with the terms of this DPA;
c. Guarantees that the persons authorized to process personal data have assumed the confidentiality obligation or are legally required to maintain confidentiality obligations;
d. Guarantees that access to the personal data is granted on a need-to-know basis with respect to the performance of the Services under the Additional Terms;
e. Is responsible for ensuring that employees/sub-contractors and/or any agents processing Your Customers’ Data only process the personal data in accordance with your instructions;
f. Will inform you immediately in case we believe that some of your instructions contradict Applicable Data Protection Legislation;
g. Is obliged to protect Your Customers’ Data under this DPA from any destruction, alteration, loss, or other unauthorised processing. For this purpose, SumUp takes appropriate security measures in accordance with applicable law.. It is possible that SumUp may introduce some alternative adequate measures. It is not possible to decrease the level of the defined security measures when introducing such alternatives. SumUp will assist you with appropriate technical and organisational measures as required and, considering the nature of the treatment and the category of information available to SumUp, help to ensure compliance with your obligations under Applicable Data Protection Legislation.
h. Upon your reasonable request, makes available certifications demonstrating SumUp’s compliance with its obligations under this DPA and Applicable Data Protection Legislation; and/or makes available information necessary to demonstrate compliance with obligations under this DPA and Applicable Data Protection Legislation. The information to be made available by SumUp is limited solely to information which is necessary, as defined by SumUp, taking into account the nature of the Services and the information available to SumUp, to assist you in complying with your obligations, especially with respect to obligations of data protection impact assessments, prior consultation and ensuring security of personal data;
i. Will assist you, within reasonable timeframes, by appropriate measures and, as reasonably possible (considering the nature of the processing), in complying with data subject rights and all other relevant obligations under Applicable Data Protection Legislation;
j. Will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an individual whose personal data is processed under the DPA, or a binding demand from a government, law enforcement, regulatory or other body, in respect of Your Customers’ Data that we process on your behalf and under your instructions.
4.4. You, in the capacity of personal data controller:
a. Will collect, use and process personal data in accordance with any and all Applicable Data Protection Legislation;
b. Have sole responsibility for the accuracy, quality, and lawful processing of Your Customers’ Data and the means by which it was obtained;
c. Ensure the appropriate level of security when using the Services, taking into consideration any risks with respect to Your Customers’ Data;
d. Acknowledge that any storage and/or transfer that you make of Your Customers’ Data to any third-party or platform, other than SumUp, shall be at your sole risk and responsibility;
e. Ensure that your instructions with regards to personal data processing comply with all laws, regulations and rules applicable in relation to Your Customers’ Data. You will also ensure that the processing of Your Customers’ Data in accordance with your instructions will not cause or result in us or you being in breach of any laws, rules or regulations;
f. Provide your Customers with the necessary information how and why their data are processed according to the Applicable Data Protection Legislation requirements.
5. Breach Notifications. The party shall immediately (but no later than 48 hours) inform the other party after it becomes aware of a personal data breach in relation to personal data processed under this DPA. SumUp will assist you in complying with your data breach notification obligations, provide you with any information about the breach which we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as due to confidentiality requirements. Despite the foregoing, SumUp’s obligations under this section do not apply to incidents that are caused by you, any activity on your account, and/or activity by third-party services. SumUp is obliged to cooperate and support you regarding the investigation, the minimization of the negative consequences, and rectification of the personal data breach as well as the prevention of future similar data breaches. SumUp’s notification of a personal data breach will not be deemed as an acknowledgement by SumUp of any fault or liability with respect to such incident. In the event of a personal data breach, you shall be obligated to take the measures required under applicable laws in connection with Your Customers’ Data.
6. Sub-Processors. You hereby grant SumUp general authorization to engage sub-processors in order to provide the Services without obtaining any further written, specific authorization. SumUp will execute an agreement with each sub-processor ensuring compliance by said sub-processor with terms ensuring at least the same level of protection and security as those set out in this DPA. If you object to any sub-processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Customers’ Data by the objected-to sub-processor. If we are unable to make these suggested changes available within a reasonable period, we will notify you, and if you still object to our use of said sub-processor, you may cancel or terminate your account or, if possible, the portions of the Services that involve use of saidsub-processor.
7. Transfer of Personal Data. The Processing of Your Customers’ Data shall take place within the territory of the European Economic Area ("EEA") and the United Kingdom. Any transfer to and processing in a third country outside the EU/EEA and the United Kingdom that does not ensure an adequate level of protection - adopted UK adequacy regulation, according to the Applicable Data Protection Legislation, shall be undertaken in accordance with the Standard Contractual Clauses or other appropriate mechanism guaranteeing an adequate level of personal data security according to the requirements of the Applicable Data Protection Legislation.
8. Audits. You are entitled to initiate a review of SumUp’s obligations under this DPA once a year. Both parties decide together if a third party should conduct the audit. However, you may allow us to have the security review carried out by a neutral third party of our choice. If the proposed scope of the audit follows an ISO or similar certification report conducted by a qualified third-party auditor within the previous twelve months, and SumUp confirms that there have been no material changes in the measures under review, this will satisfy any requests received within said timeframe. Audits may not unreasonably interfere with SumUp's business as usual activities. You are responsible for all costs associated with your request for audit review. Once a year, upon prior written request by the Data Controller and to the extent required under the Applicable Data Protection Legislation, SumUp agrees to cooperate and within reasonable time provide the Data Controller with:
(a) a summary of audit reports demonstrating the effectiveness of technical and organizational measures taken by SumUp against the unauthorized or unlawful processing of personal data and against the unauthorized access to, accidental loss or destruction of, or damage to, personal data and
(b) confirmation that the audit did not reveal any material vulnerability in SumUp’s systems, or to the extent that any such vulnerability was detected, that SumUp completely remedied such vulnerability.
If the above measures are insufficient to confirm compliance with Applicable Data Protection Legislation or reveal some material issues, the Data Controller may request, on at least thirty (30) days’ advance written notice to SumUp, an audit of SumUp’s data protection compliance program by external independent auditors. Both parties should jointly select the auditors and will mutually agree upon the scope, timing, and duration of the audit. The Data Controller shall take all reasonable measures to limit any adverse impact thereof on SumUp and is responsible for all costs associated with its request for audit review as well as costs coming from any adverse impacts, if any. The Data Controller will make available to SumUp the result of the audit of its data protection compliance program.
9. Liability. The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Additional Terms and/or Terms.You agree to indemnify and keep indemnified and defend SumUp at your expense against all costs, claims, damages or expenses incurred by SumUp or for which SumUp may become liable due to any failure by you or your employees or agents to comply with the obligations under this DPA.
10. Termination. This DPA shall be in effect for as long you use any of SumUp’s Services. Upon termination of the use of the Services, and unless SumUp is required to retain Your Customers’ Data under SumUp’s Additional Terms and/or Terms, any agreement or applicable laws, SumUp shall, including upon written request by you, delete Your Customers’ Data as soon as reasonably practicable and according to SumUp’s Terms and applicable laws.
11. Aggregated Anonymous Data. You acknowledge and accept that SumUp may process aggregated data of any kind relating to you and Your Customers including Services usage data. The customer acknowledges, accepts and consents hereby that SumUp may use this aggregated anonymous data (without this list being exhaustive) to analyze, improve and operate its Services and, in general, for any commercial activity, throughout the duration of the DPA but also after its termination, to contribute to market analyzes, produce statistics, improve its Products and Services and their safety, following good industrial practices and / or recommendations.
12. Miscellaneous
12.1. In the event of conflict between this DPA and any of SumUp’s Additional Terms and/or Terms, the provisions of this DPA shall prevail.
12.2. You are responsible for any costs and expenses arising from SumUp’s compliance with your instructions or requests pursuant to the Additional Terms (including this DPA) which fall outside the standard functionality made available by SumUp generally through the Services.
12.3. SumUp shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time. Changes to the DPA will be communicated appropriately and made by SumUp in a separate Annex or in another visible means including posting an updated version of the DPA on our website. The “Last amended” legend at the top of this DPA indicates when this DPA was last revised.
12.4. Any questions regarding this DPA or other personal data processing related requests should be addressed to us at dpo@sumup.com. SumUp will attempt to resolve any complaints regarding the use of Your Customers’ Data in accordance with this DPA, the Terms and SumUp internal policies.
12.5. If any of the provisions of the DPA are deemed invalid, this does not affect the remaining provisions. The parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.
12.6. This DPA shall be governed by and construed in accordance with the law governing the applicable Additional Terms.
Appendix No.1
1. Subject Matter. The subject matter is the data processing under this DPA.
2. Purpose and Nature of the Processing. The purpose of the data processing under this DPA is the provision and improvement of the Services initiated by you.
3. Duration. As between you and us, the duration of the data processing under this DPA is determined by you and for the selected period for which you choose to use our Services.
4. Categories of Data Subjects. Your Customers, Your Customers’ potential customers, your employees, accountants (for Invoicing and Accounting) and/or any other individuals whose personal data are included in the Content. For Gift Cards, gift card buyers and/or gift card recipients or other individuals whose personal data are processed as part of the Gift Cards Services in accordance with the Additional Terms and SumUp’s Terms.
5. Type of Personal Data. Your Customers’ Data are processed as part of the Services in accordance with the Terms and the instructions given. These data may differ depending on the Services used and may include, but are not limited to:
Online Store
Your Customers’ names, e-mail address, mobile/phone number, physical address(es), payment details, transactional/order history, IP address, information from cookies and similar technologies, marketing preferences.
Gift Cards
Names and e-mail addresses of purchasing and gift card receiving customer, gift card amount, gift card message.
Invoicing and Accounting
Names, physical address(es), mobile/phone number, email address(es), account numbers and/or bank details, subject of the invoice, transaction/order data, status of the invoices.
For POS
Names, physical address(es), mobile/phone number, email address(es), transaction/order data, comments, for your employees - staff number, login credentials, IP address, role, email, orders, language preferences.
Special categories of personal data, including data relating to criminal convictions and offences, are not deemed to be processed under the Services; they are excluded from the terms of this DPA. If such data is processed while using our Services, this is without the knowledge of SumUp and you should delete such information immediately after you identify such processing.