Data Processing Agreement
This Data Processing Agreement (“DPA”) is subject to and forms part of your Self Commercial Terms and Conditions and governs Self’s Processing of Personal Data.
Your Self Organisation Account is provided from the United Kingdom.
Capitalised terms not defined in this DPA have the meanings given to them in your Self Commercial Terms and Conditions.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199.
“DP Law” means all Legislation that applies to Personal Data Processing under your Self Commercial Terms and Conditions and this DPA, including international, federal, state, provincial and local Law relating to privacy, data protection or data security.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.
“Data Security Measures” means technical and organisational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing.
“Data Subject” means an identified or identifiable natural person to which Personal Data relates.
“EEA” means the European Economic Area.
“EEA SCCs” mean Module 2 (Transfer: Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Instructions” means this DPA and any further written agreement or documentation under which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.
“Joint Controller” means a Data Controller that jointly determines the purposes and means of Processing Personal Data with one or more Data Controllers.
“Personal Data” means any information relating to an identified or identifiable natural person that is Processed in connection with the Services, and includes “personal data” as defined under the GDPR and “personal information” as defined under the CCPA.
“Process” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law.
“Sensitive Data” means (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person’s sex life or sexual orientation; or (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, to the extent this data is treated distinctly as a special category of Personal Data under DP Law.
“Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.
“UK Data Transfer Addendum” means the international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office.
“UK GDPR” means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
3. Self as Data Processor and Data Controller.
3.1. Data Processing Roles.
To the extent Self Processes Personal Data as a:
(a) Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller; and
(b) Data Controller, it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through you.
3.2. Categories of Data Subjects and Personal Data.
(a) Data Subjects. Self may Process the Personal Data of your Customers, representatives and any natural persons who access or use your Self Organisation Account.
(b) Personal Data. Where applicable, Self may Process Payment Account Details, billing address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports).
(c) Sensitive Data. Where applicable, Self may Process facial recognition data.
3.3. Data Processing Purposes.
(a) The purposes of Self’s Processing of Personal Data are when Self is operating in its capacity as a Data Processor for a Service, including:
(i) Taking payment for Services provided by Self to the Organisation; and
(ii)Processing Images for the purpose of determining a biometric match between two or more images of a User.
(b) The purposes of Self’s Processing of Personal Data in its capacity as a Data Controller are:
(iii) complying with Law, including applicable anti-money laundering screening and know-your-customer obligations; and
4. Self’s Obligations when Acting as a Data Processor.
To the extent that Self is acting as a Data Processor for you, Self will:
(a) not sell, retain, use or disclose Personal Data for any purpose other than to comply with Law;
(b) ensure that all no persons will be authorised to Process Personal Data in the context of the Services.
(c) Self holds no personal data belonging to Data Subjects. We will inform you of requests Self receives from Data Subjects exercising their applicable rights under DP Law to (i) access (e.g., right to know under the CCPA) their Personal Data; (ii) have their Personal Data corrected or erased. Self will direct the Data Subject to you as Data Controller using Self messaging;
(d) Self will inform you of each law enforcement request it receives from a Governmental Authority requiring Self to disclose Personal Data or participate in an investigation involving Personal Data;
(e) to the extent required by DP Law, provide you with reasonable assistance through appropriate technical and organisational measures, at your expense, to assist you in complying with your obligations under DP Law;
(f) implement and maintain an information security program and a data security incident management program that addresses how Self will manage a data security incident involving the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, Personal Data (“Incident”). If Self is required by Law to notify you of an Incident, then Self will notify you without unreasonable delay.
4.2 Disclaimer of Liability.
Notwithstanding anything to the contrary in your Self Commercial Terms and Conditions or this DPA, Self will not be liable for any claim made by a Data Subject arising from or related to Self’s acts or omissions, to the extent that Self was acting in accordance with your Instructions.
If there is any conflict or ambiguity between the provisions of this DPA and the provisions of your Self Commercial Terms and Conditions regarding Personal Data Processing, the provisions of this DPA will prevail.