Data Processing Addendum

This Data Processing Addendum is an integral part of the Epix Service Terms, available at www.paybix.eu/epix-service-terms.

General provisions

PayBIX shall act as a processor of the Customer when processing Customer Data on Epix. Customer shall act as a controller in relation to the Customer Data. If Customer is a processor, PayBIX shall be subprocessor and the provisions of this Data Processing Addendum shall be construed accordingly.

Instructions on the processing of personal data

PayBIX shall only process Customer Data in accordance with this Data Processing Addendum and the documented instructions provided by the Customers in accordance with the Terms and this Data Processing Addendum, except if PayBIX is required to do so by Union or Member State law to which PayBIX is subject; in such a case, PayBIX shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Terms and this Data Processing Addendum provide the scope within which the Customer may provide instructions to PayBIX.

PayBIX shall immediately inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

The processing details are described in Exhibit A to this Data Processing Addendum. If PayBIX implements Updates or Upgrades to Epix, it may change the processing details described in Exhibit A in order to cover such Updates or Upgrades. If the Customer objects to such amendment and the Parties fail to reach a mutually agreed solution, the Customer shall be entitled to terminate its Subscription for convenience.

Other obligations of PayBIX in relation to the processing activities

Security

PayBIX shall implement adequate security measures to protect the Customer Data. Such security measures shall be reassessed regularly and adapted as necessary to maintain an adequate level of protection.

PayBIX shall ensure that persons authorized to process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Personal data breaches

PayBIX shall notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of a personal data breach.

Following a personal data breach, PayBIX shall promptly take reasonable steps to contain and investigate the personal data breach.

PayBIX’ notification of a personal data breach shall not be construed as an acknowledgment by PayBIX of any negligence or violation of applicable data protection law.

Assistance to the Customer

PayBIX shall reasonably assist the Customer in the fulfilment of the Customer’s obligation to respond to requests for exercising data subject’s rights.

PayBIX shall reasonably assist the Customer with the Customer’s own obligations in relation to security, personal data breaches, data protection impact assessments and prior consultation (articles 32-36 GDPR).

PayBIX may invoice the Customer a reasonable amount for such assistance. PayBIX shall inform the Customer of such amounts or the criteria to define the applicable amount. If the assistance is the result of a breach by PayBIX of the Terms (including this Data Processing Addendum) or applicable data protection law, PayBIX shall provide the assistance free of charge.

Appointment of subprocessors

PayBIX shall be entitled to appoint subprocessors. The current list of approved subprocessors is annexed as Exhibit B.

PayBIX shall inform the Customer at least 10 Working Days in advance and in writing of any intended changes. Customer may object to the intended change within 10 Working Days following notice of an intended change, otherwise Customer will be deemed to have accepted the intended change. If Customer objects to the change within the aforementioned period, Customer and PayBIX will cooperate in good faith to resolve Customer’s objection. If the Customer and PayBIX fail to reach an agreement, Customer shall be entitled to terminate the Subscription for convenience with immediate effect.

PayBIX shall execute an agreement with each subprocessor that incorporates equivalent or identical data protection obligations compared to the obligations set out in this Data Processing Addendum.

PayBIX remains fully liable to the Customer for the performance of the appointed subprocessors.

International Data Transfers

PayBIX shall not transfer Customer Data to a country outside the European Economic Area without the Customer’s prior written consent.

In case of an approved transfer of Customer Data, PayBIX shall implement, where necessary, adequate safeguards in relation to that transfer in accordance with applicable data protection law.

Audits

PayBIX will provide the Customer, on request, with all information reasonably necessary to demonstrate its compliance with this Data Processing Addendum and with applicable data protection law.

PayBIX will allow for and contribute to audits, including inspections by Customer, to assess compliance with the Data Processing Addendum and with applicable data protection law. PayBIX and the Customer shall define the practical modalities of such audits.

Prior to performing an audit, the Client shall verify whether the purpose of the audit may be achieved by reviewing standard information, reports and certification made available by PayBIX.

Deletion of Customer Data

Upon termination or expiry of the Subscription, PayBIX will return or delete Customer Data at Customer’s instruction, unless Union or Member State law requires storage of the personal data.

Exhibit A – Processing details

Epix

The table below provides a high level overview of this processing activity.

Consultancy and data services (only applicable if contracted)

The table below provides a high level overview of this processing activity.

Exhibit B – Approved subprocessors

The approved subprocessors can be found at www.paybix.eu/trust.