Schedule 2 (Data Protection)
DEFINITIONS
Agreed Purposes: to enable the Partner Business to enter into a Liberis Customer Agreement with Liberis and also to work out the Commission due to Partner pursuant to the terms of this Agreement.
Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time.
Data Protection Legislation: all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without (i) the UK GDPR and the GDPR (as defined below) and any applicable national implementing laws, regulations and secondary legislation including the UK Data Protection Act 2018, (ii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and (iii) any replacement legislation implemented by the United Kingdom (“UK”) pursuant to the withdrawal of the UK from the European Union, in each case as amended, replaced or updated from time to time.
GDPR: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC as updated, superseded or repealed from the time to time;
Permitted Recipients: The Parties to this Agreement, the employees of each Party, and any third parties engaged to perform obligations in connection with this agreement.
SCC: the Standard Contractual Clauses approved by the European Commission and/or the United Kingdom International Data Transfer Agreement or International Data Transfer Addendum (as appropriate) for transfers of personal data to countries not recognised as offering adequate protection under the GDPR and/or UK GDPR (as applicable, or such alternative clauses as may be approved by the European Commission or by the UK from time to time;
Shared Personal Data: the personal data to be shared between the Parties. Shared Personal Data shall be confined to the following categories of information:
(a) Business name of the Liberis Customer (which could contain an individual’s name)
(b) Registration number of the Liberis Customer (if applicable)
(c) Industry type of the Liberis Customer
(d) Business Address of the Liberis Customer
(e) First name, last name and date of birth of any and all directors or employees at the Liberis Customer who owns more than 25% shareholding or are a person with significant control in the Liberis Customer’s business
(f) Personal address of any and all Director or employee at the Liberis Customer
(g) Telephone number of director or employee at the Liberis Customer who is acting as main applicant;
(h) The Liberis Customer’s identification number; and
(i) Email address of director or employee at the Liberis Customer, who is acting as main applicant for the RFP.
UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1. Data Protection
1.1. Each Party shall act as a Controller in its own right and accordingly each Party will comply with the applicable obligations under the Data Protection Legislation (as defined in this schedule), including having in 1.1B place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction, or damage to, Personal Data.
1.2. If the Parties agree that any Party shall act as a Processor for and on behalf of any other Party, the Party shall first enter into a data processing agreement in accordance with the Data Protection Legislation.
1.3. Shared Personal Data. This paragraph sets out the framework for the sharing of personal data between the Parties as data controllers. Each Party acknowledges that one Party (the Data Discloser) will regularly disclose to the other Party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes.
1.4. Effect of non-compliance with Data Protection Legislation. Each Party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate this Agreement with immediate effect.
1.5. Particular obligations relating to data sharing.
Each Party shall:
(a) ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
(b) give full information to any data subject whose personal data may be processed under this agreement of the nature such processing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;
(c) process the Shared Personal Data only for the Agreed Purposes;
(d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
(e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
(f) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other Party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
(g) not transfer any personal data received from the Data Discloser outside the EEA or UK unless the transferor:
(h) complies with the provisions of Articles 26 of the GDPR (or equivalent Data Protection Legislation) (in the event the third party is a joint controller); and
(i) ensures that (i) the transfer is to a country approved by the European Commission or the UK privacy regulator as providing adequate protection pursuant to Article 45 GDPR (or equivalent Data Protection Legislation); (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR (or equivalent Data Protection Legislation) i.e. appropriate SCCs are entered into; or (iii) one of the derogations for specific situations in Article 49 GDPR (or equivalent Data Protection Legislation) applies to the transfer.
1.6. Mutual assistance. Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:
(a) consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data;
(b) promptly inform the other Party about the receipt of any data subject access request;
(c) provide the other Party with reasonable assistance in complying with any data subject access request;
(d) not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other Party wherever possible;
(e) assist the other Party, at the cost of the other Party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation;
(g) at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the personal data;
(h) (h) use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;
(i) maintain complete and accurate records and information to demonstrate its compliance with this Schedule; and
(j) provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the Parties’ compliance with the Data Protection Legislation.
1.7. Transferring to Affiliates. Each Party (Transferring Party) shall be allowed to transfer any data (including without limitation personal data) that it receives under this Agreement to any Affiliates without the consent of the other Party for the sole purpose of enabling the Transferring Party to fulfil its obligations under this Agreement.
Schedule 5 (Security)
The Parties shall comply with the following information security requirements:
2. Basic Security Requirements
The Parties have implemented and shall maintain the necessary technical and organizational measures to ensure and maintain a level of information security (i) adequate for the type and scope of the services it provides and the type of Protected Information (as defined below) Liberis accesses, and (ii) required to satisfy current technological standards and Good Industry Practice such as NIST or ISO 27001.
3. Security Management
The Parties have in place, and shall maintain and adhere to, a security policy that covers current state-of the-art information security management in accordance with Good Industry Practice (e.g. NIST, ISO 270XX).
4. Data Handling
The Parties established and shall maintain and adhere to documented procedures that demonstrate correctness, integrity and availability of Protected Information throughout all stages of data processing.
The Parties shall encrypt all Protected Information in its control and in transit to/from and/or stored/processed within the services. The Parties shall document its encryption procedures and provide such documentation to the other Party upon its request. The Parties shall manage and store all cryptographic keys in a secure manner.
5. Operational Security
Operational procedures. The Parties have implemented and shall maintain, adhere to, document and make available to its personnel appropriate operational procedures for managing information systems.
Operational segregation. The Parties shall segregate duties and keep to the necessary minimum user access rights to reduce opportunities for unauthorized or unintentional modification or misuse of Protected Information. The Parties shall also segregate development, test and production systems, and its network to reduce the risks of unauthorized access or changes to the respective Parties’ operational information systems.
Malware protection. The Parties shall adequately protect against malicious code every system (including servers, workstations and mobile equipment) that a Party uses to provide the services contemplated under this Agreement to the other Party. The Parties shall update antivirus software at least daily, and shall enable real-time scan at all times.
Authentication process. The Parties shall restrict access to systems by a proper authentication process, which at minimum will include a username/password combination. The Parties shall prohibit unauthorized access to computers used for the provision services by one Party to the other under this Agreement.
Changes to underlying systems. Each Party shall notify the other in writing at least 2 Business Days prior to making any material, production changes to its systems/infrastructure which impact or disrupt the services being provided by one Party to the other under this Agreement.
6. Security Breach
The Parties have, and shall maintain, an efficient management structure in place to regulate and escalate security issues.
The Parties shall log and monitor security-related events on all levels (e.g. operating system, database and application). Security-related events include (i) both successes and failed authentication and login attempts, and (ii) attempts to circumvent the business logic (log e.g. with IPS/IDS, Firewall, WAF). The Parties will follow industry best practices (e.g. NIST, OWASP) for logging security-related events.
In the event a Party suffers or learns of any actual security breach or any unintentional access or use has occurred in violation of a Party’s security or confidentiality obligations under the Agreement (including any unauthorized acquisition, accessing, use alteration, disclosure, compromise or loss of any Confidential Information) or any unauthorized intrusions into a Party’s or any of its non-employee Personnel’s facilities or secure systems (collectively a “Security Breach”), then the affected Party will notify the other Party. The relevant Party will diligently investigate the cause of the Security Breach and promptly create and enact a corrective action plan to prevent future breaches.
For the purpose of this Schedule, “Protected Information” means any one or more of the following categories of information or data:
(a) Cardholder Data (which has the meaning stated in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms);
(b) payment processing related transactional information that may be collected, owned, and/or stored by Customer or Liberis, including the price paid for products or services, data, time, approval, unique transaction number, store identifier, and bank information relating to a transaction;
(c) security-related information including card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks used to authenticate cardholders and/or authorize payment card transactions;
(d) any other information or data covered by Applicable Law, including applicable privacy laws,
(e) all information about Customer’s or Liberis’ information security and its applied information security measures; and
(f) any information designated as Protected Information under the Agreement.