Privacy Policy

Policies

PayRetailers Group S.A de C.V, (PayRetailers), with their address at Sierra Mojada 405, floor 3, office 1, Lomas de Chapultepec, C.P 11000, Miguel Hidalgo Mexico City, is responsible for the use and protection of your personal data, and in accordance with the General Data Protection Regulation (EU) 2016/679 and the Organic Law 3/2018, we inform you:

When you are acting on behalf of a business entity, we will refer to you as a representative.

When you do business with a business entity but do not do business directly with PayRetailers, we refer to you as the end user.

When you act as a service provider for PayRetailers, we will refer to you as a provider.

Consent

At the time of accepting this Privacy Policy, you expressly consent to use your personal data for the exclusive purposes defined in this document.

In the use of your supplied data, storage is included, this being understood as conservation in a registry or in a data bank, by its own means or provided by third parties; and treatment, this being understood as any automated or non-automated operation that allows the collection, storage, recording, organisation, elaboration, selection, extraction, confrontation, interconnection, dissociation, communication, assignment, transfer, transmission or cancellation of personal data.

Statement

It is stated that in order to comply with this privacy statement, you must be of legal age and certify that the information you provide is accurate and truthful at the time you accept it. In case of requesting a modification, we ask you to inform us as soon as possible in accordance with the procedure set forth below.

Nowhere on the Platform do we knowingly collect personal data or information from anyone under the age of 18.

What personal data will we use, how do we obtain it and for what purposes?

  1. Representative

PayRetailers, in its capacity as data controller, will collect the following information through the PayRetailers website, by email and by any other means that we make available to you:

    • General personal data: Full name, nationality, email, current personal identification, Federal Taxpayer Registry key and/or tax identification number and/or equivalent, telephone number, employment data, among others of the same category.
    • Sensitive personal data will not be collected.

The personal data we collect from you will be used for the following primary purposes, which are necessary for the service you request:

      • Account creation on the PayRetailers website
      • Onboarding process, including the review and approval of the Compliance team based on the internal policies of PayRetailers
      • Generate the necessary documentation for the commercial relationship
      • Provide you with the contracted services
      • Take steps to keep your personal data and legal documentation of your company up to date
      • Make clarifications to prevent money laundering, detect fraud or illicit activity against your person or PayRetailers
      • Conduct legal reviews and due diligence
      • Communicate with you in order to fulfil our obligations under the Terms of Service
      • Perform all kinds of analysis to improve the services offered by PayRetailers
      • Marketing, advertising, or commercial prospecting purposes regarding the services we offer, our own or those of third parties
      • Carry out service surveys, with the aim of evaluating and improving the quality of the products and services we offer
      • Comply with the legal obligations in charge of PayRetailers

2. End user

PayRetailers provides its services to commercial entities, which directly or indirectly provide us with personal data of end users in relation to the entities’ own commercial activities. When we act as a data processor, we process personal data in accordance with the terms and conditions of our agreement with that entity.

Business entities are responsible for ensuring the privacy rights of their end users, including ensuring proper disclosure of data collection and processing that occurs in connection with the services. If you are an end user, please consult the privacy policy of the business entity for information on the processing of your data.

The personal data that the business entity provides to us directly or indirectly from you, through our programming interface, email or by the means that the business entity designates, includes the following:

      • Personal identification data: Full name, email, telephone, address, official identification, among others of the same category.
      • Transaction data: date, amount, payment method, the country where it was made, status, among others of the same category.
      • Sensitive personal data is not sent.

The personal data that is sent to us in our capacity as data processor will be used for the following purposes:

      • Verify and confirm your identity
      • Transaction processing
      • Make clarifications to prevent money laundering, detect fraud or illicit activity against your person or PayRetailers
      • Address complaints, claims and suggestions sent to PayRetailers
      • Comply with the legal obligations in charge of PayRetailers

We will not send commercial communications without your consent.

3. Provider

PayRetailers will collect by email and by any other means that we make available to you, the following information:

      • Personal identification and contact data: Full name, nationality, email, official identification, telephone, employment data, among others of the same category.
      • Sensitive personal data will not be collected

We will use the personal data that we collect from you for the following primary purposes, which are necessary to formalise the contractual relationship:

      • Verify and confirm your identity
      • Onboarding process, including the review and approval of the Compliance team based on the internal policies of PayRetailers
      • Generate the necessary documentation for the commercial relationship
      • Manage the corresponding payments
      • Perform legal reviews and due diligence
      • Comply with the legal obligations in charge of PayRetailers

Legal basis of the treatment

For the treatment of personal data, PayRetailers starts from the following legal bases:

      • Contractual and pre-contractual business relationships. We process personal data in order to formalise business relationships with potential business entities and to fulfil the respective contractual obligations we have with such entities.
      • Legitimate Business Interests. In accordance with the applicable legislation, we process the data for the purpose of complying with the legal obligations of PayRetailers, such as the prevention and clarification of fraud, as well as the provision of our services to said entities.
      • Consent. Based on the consent you provide us to process your personal data as a representative of a business entity.

How long do we store your personal data?

We will keep your data only for the period strictly necessary for the respective purposes of the treatment or during the legal period, as the case may be.

To whom do we transfer your data?

PayRetailers shares your data with other entities of the PayRetailers corporate group that operate under the same standards, processes and/or internal policies under which PayRetailers operates, for the comprehensive fulfilment of the services we offer.

Likewise, PayRetailers shares data, through referrals, to persons who are in charge or sub-processors of the treatment, such as service providers or business partners with whom PayRetailers has a legal relationship. PayRetailers verifies that such service providers or business partners comply with the same data protection standards as PayRetailers.

We inform you that PayRetailers does not transfer data to third parties, except in exceptional cases and that do not require your consent, provided for in the applicable legislation, such is the case of those necessary or legally required to safeguard a public interest, or for the prosecution or administration of justice.

International data transfer

Your personal data may be stored outside of Mexico by our suppliers or service providers or by companies of the PayRetailers Group for the purposes described in this privacy policy.

Your personal data eventually transferred to other countries will be treated with the same level of protection, in compliance with the guarantees required by applicable law and under PayRetailers security policies.

How can you exercise your privacy rights?

You, as a representative have the right to know what personal data we have about you, what we use it for and the conditions of use we give it (Access). Likewise, it is your right to request the correction of your personal information in case it is outdated, inaccurate or incomplete (Rectification); that we remove it from our records or databases when it considers that it is not being used properly (Cancellation); as well as oppose the use of your personal data for specific purposes (Opposition). These rights are known as ARCO rights.

Likewise, you can revoke the consent that, in your case, you have granted us for the treatment of your personal data. You must consider that, for certain purposes, the revocation of your consent will imply that we cannot continue providing the service you requested, or the termination of your relationship with PayRetailers.

To exercise any of the rights mentioned above, you must send a request to the email address privacy@payretailers.com , which must comply with the following requirements and documents:

      • Full name of the data subject
      • Copy of the document proving your identity on both sides;
      • In the event that the data subject appears through a legal representative, the latter must also show, by the same means, the documents that prove the legal representation (simple power of attorney signed by the data subject, the proxy and two witnesses, accompanied by a copy of the identifications of the agent and the two witnesses);
      • Clear and precise description of the personal data with respect to which one seeks to exercise any of the ARCO rights.

Requests to exercise ARCO rights will be addressed within a period not exceeding 20 (twenty) business days from the date the request was received. If your request is appropriate, it will be effective within 15 (fifteen) business days following the date on which PayRetailers communicates the response.

In the event that the information provided in your application is erroneous or insufficient, or the necessary documents are not attached to prove your identity or legal representation, you will be required to do so within 5 (five) business days following receipt of your application, to correct the deficiencies. This requirement must be met by you within 10 (ten) business days following the receipt, otherwise, your request will be deemed not submitted.

Requests will be handled by the data protection delegate with address at Sierra Mojada 405, floor 3, office 1, Lomas de Chapultepec, C.P 11000, Miguel Hidalgo Mexico City, in Mexico City, who can be contacted at the email address privacy@payretailers.com

Security of personal data

PayRetailers maintains technical and organisational security measures in place to prevent the loss, theft, modification and/or unauthorised access to your personal data, such as access controls, minimisation of the number of people who access the data, implementation of cybersecurity tools such as firewalls, antivirus, among others.

Likewise, our website has a Secure Sockets Layer (SSL) security certificate, which encrypts the information you enter to maintain its confidentiality.

¿How can you find out about changes to this privacy policy?

This privacy policy may undergo modifications, changes or updates derived from new legal requirements of:

-our own needs for the products or services we offer

-of our privacy practices

-changes in our business model or other causes.

The procedure through which notifications about changes or updates will be carried out will be through an informative note on our website, by email or any other technological means available at the time.

Last update: February 2023

PayRetailers SL., (PayRetailers), with their address at Avenida Diagonal number 682 floor 1, 08034 city of Barcelona, Spain, is responsible for the use and protection of your personal data, and in accordance with the General Data Protection Regulation (EU) 2016/679 and the Organic Law 3/2018, we inform you:

When you are acting on behalf of a business entity, we will refer to you as a representative.

When you do business with a business entity but do not do business directly with PayRetailers, we refer to you as the end user.

When you act as a service provider for PayRetailers, we will refer to you as a provider.

Consent

At the time of accepting this Privacy Policy, you expressly consent to use your personal data for the exclusive purposes defined in this document.

In the use of your supplied data, storage is included, this being understood as conservation in a registry or in a data bank, by its own means or provided by third parties; and treatment, this being understood as any automated or non-automated operation that allows the collection, storage, recording, organisation, elaboration, selection, extraction, confrontation, interconnection, dissociation, communication, assignment, transfer, transmission or cancellation of personal data.

Statement

It is stated that in order to comply with this privacy statement, you must be of legal age and certify that the information you provide is accurate and truthful at the time you accept it. In case of requesting a modification, we ask you to inform us as soon as possible in accordance with the procedure set forth below.

Nowhere on the Platform do we knowingly collect personal data or information from anyone under the age of 18.

What personal data will we use, how do we obtain it and for what purposes?

  1. Representative

PayRetailers, in its capacity as data controller, will collect the following information through the PayRetailers website, by email and by any other means that we make available to you:

    • Personal identification and contact data: Full name, nationality, email, current personal identification, tax identification number and/or equivalent, telephone, employment data, among others of the same category.
    • Sensitive personal data will not be collected.

The personal data we collect from you will be used for the following primary purposes, which are necessary for the service you request:

      • Account creation on the PayRetailers website
      • Onboarding process, including the review and approval of the Compliance team based on the internal policies of PayRetailers
      • Generate the necessary documentation for the commercial relationship
      • Provide you with the contracted services
      • Take steps to keep your personal data and legal documentation of your company up to date
      • Make clarifications to prevent money laundering, detect fraud or illicit activity against your person or PayRetailers
      • Conduct legal reviews and due diligence
      • Communicate with you in order to fulfil our obligations under the Terms of Service
      • Perform all kinds of analysis to improve the services offered by PayRetailers
      • Marketing, advertising, or commercial prospecting purposes regarding the services we offer, our own or those of third parties
      • Carry out service surveys, with the aim of evaluating and improving the quality of the products and services we offer
      • Comply with the legal obligations in charge of PayRetailers

2. End user

PayRetailers provides its services to commercial entities, which directly or indirectly provide us with the personal data of end users in relation to the entities’ own commercial activities. When we act as a data processor, we process personal data in accordance with the terms and conditions of our agreement with said entity.

Business entities are responsible for ensuring the privacy rights of their end users, including ensuring proper disclosure of data collection and processing that occurs in connection with the services. If you are an end user, please consult the privacy policy of the business entity for information on the processing of your data.

The personal data that the business entity provides to us directly or indirectly from you, through our programming interface, email or by the means that the business entity designates, includes the following:

      • Personal identification data: Full name, email, telephone, address, official identification, among others of the same category.
      • Transaction data: date, amount, payment method, the country where it was made, status, among others of the same category.
      • Sensitive personal data is not sent.

The personal data that is sent to us in our capacity as data processor will be used for the following purposes:

      • Verify and confirm your identity
      • Transaction processing
      • Make clarifications to prevent money laundering, detect fraud or illicit activity against your person or PayRetailers
      • Address complaints, claims and suggestions sent to PayRetailers
      • Comply with the legal obligations in charge of PayRetailers

We will not send commercial communications without your consent.

3. Provider

PayRetailers will collect by email and by any other means that we make available to you, the following information:

      • Personal identification and contact data: Full name, nationality, email, official identification, telephone, employment data, among others of the same category.
      • Sensitive personal data will not be collected

We will use the personal data that we collect from you for the following primary purposes, which are necessary to formalise the contractual relationship:

      • Verify and confirm your identity
      • Onboarding process, including the review and approval of the Compliance team based on the internal policies of PayRetailers
      • Generate the necessary documentation for the commercial relationship
      • Manage the corresponding payments
      • Perform legal reviews and due diligence
      • Comply with the legal obligations in charge of PayRetailers

Legal basis of the treatment

For the treatment of personal data, PayRetailers starts from the following legal bases:

      • Contractual and pre-contractual business relationships. We process personal data in order to formalise business relationships with potential business entities and to fulfil the respective contractual obligations we have with such entities.
      • Legitimate Business Interests. In accordance with the applicable legislation, we process the data for the purpose of complying with the legal obligations of PayRetailers, such as the prevention and clarification of fraud, as well as the provision of our services to said entities.
      • Consent. Based on the consent you provide us to process your personal data as a representative of a business entity.

How long do we store your personal data?

We will keep your data only for the period strictly necessary for the respective purposes of the treatment or during the legal period, as the case may be.

To whom do we transfer your data?

PayRetailers shares your data with other entities of the PayRetailers corporate group that operate under the same standards, processes and/or internal policies under which PayRetailers operates, for the comprehensive fulfilment of the services we offer.

Likewise, PayRetailers shares data, through referrals, to persons who are in charge or sub-processors of the treatment, such as service providers or business partners with whom PayRetailers has a legal relationship. PayRetailers verifies that such service providers or business partners comply with the same data protection standards as PayRetailers.

We inform you that PayRetailers does not transfer data to third parties, except in exceptional cases and that do not require your consent, provided for in the applicable legislation, such is the case of those necessary or legally required to safeguard a public interest, or for the prosecution or administration of justice.

International data transfer

Your personal data may be stored outside the European Union by our suppliers or service providers or by companies of the PayRetailers Group for the purposes described in this privacy policy.

Your personal data eventually transferred to other countries will be treated with the same level of protection, in compliance with the guarantees required by applicable law and under PayRetailers security policies.

How can you exercise your privacy rights?

You have the right to request confirmation of the existence of processing of personal data (information); have access to your data, requesting the availability of a copy of the personal data you have provided us (access); correction of incomplete, inaccurate or out-of-date data (rectification); the revocation, at any time, of your previously granted consent for data processing as well as information on the possibility that you do not give your consent for certain data processing and the consequences of not consenting (revocation); anonymisation, blocking or deletion of data that is unnecessary, excessive or processed in violation of the GDPR (suppression); oppose the use of your personal data for specific purposes (opposition); limit the processing of your data (limitation); the portability of your personal data to another provider of services or products (portability), as well as information about the public and private entities with which we share data.

To exercise any of the rights mentioned above, you must send a request to the email address privacy@payretailers.com , which must comply with the following requirements and documents:

      • Full name of the data subject
      • Copy of the document proving your identity on both sides;
      • In the event that the data subject appears through a legal representative, the latter must also show, by the same means, the documents that prove the legal representation (simple power of attorney signed by the data subject, the proxy and two witnesses, accompanied by a copy of the identifications of the agent and the two witnesses);
      • Clear and precise description of the personal data with respect to which one seeks to exercise any of the rights.

Requests will be dealt with within the terms provided in Regulation (EU) 2016/679 and Organic Law 3/2018, through our data protection delegate, which can be contacted for questions or clarifications through the email address privacy @payretailers.com

Security of personal data

PayRetailers maintains technical and organisational security measures in place to prevent the loss, theft, modification and/or unauthorised access to your personal data, such as access controls, minimisation of the number of people who access the data, implementation of cybersecurity tools such as firewalls, antivirus, among others.

We are PCI DSS certified (Payment cards Industry Data Security Standard) to ensure that credit card data is processed, stored, or transmitted in a secure environment.

Likewise, our website has a Secure Sockets Layer (SSL) security certificate, which encrypts the information you enter to maintain its confidentiality.

¿How can you find out about changes to this privacy policy?

This privacy policy may undergo modifications, changes or updates derived from new legal requirements of:

-our own needs for the products or services we offer

-of our privacy practices

-changes in our business model or other causes.

The procedure through which notifications about changes or updates will be carried out will be through an informative note on our website, by email or any other technological means available at the time.

Last update: October 2022

Data Processing Agreement

This Data Processing Agreement is part of the terms and conditions of the service and will come into force from the moment of acceptance of the Terms and Conditions of the service. This Agreement will apply to personal data that the Processor processes on your behalf.

Hereinafter, the Business shall be referred to as “Data Controller”, and the Processor, as “Data Processor”.

1. Obligations of the Data Processor.

The Data Controller shall provide the Data Processor with access to all Personal Data that may be necessary for the execution of this Agreement and the completion of tasks assigned.

Personal Data shall be always processed as per instructions of the Data Controller and used only for the purposes established in this Agreement, unless otherwise expressly agreed in writing with the Data Controller.

The Data Processor shall not share, transfer, submit or otherwise allow access to third parties of the Personal Data.

Moreover, the Data Processor shall document all data processed on behalf of the Data Controller. In particular, the Data Processor must keep a log containing all the categories of processed Personal Data, including:

  • 1. Identification of the Data Processor and the Data Controller, contact information of both or, failing that, Data Protection Delegates.
  • 2. The categories of all Data Protection processing actions carried out.
  • 3. The transfer of Personal Data to a third-party country or international organisations, including the identification of such third-party country or international organisations.
  • 4. General description of the technical and organisational safety measures related to:
    • a) Pseudonymisation and encryption of Personal Data.
    • b) The ability to ensure the permanent confidentiality, integrity, availability, and resilience relevant to the systems and services of data processing.
    • c) The ability to quickly recover the availability and the access to Personal Data, in the event of a physical or technical incident.
    • d) The process of regular verification, evaluation, and assessment regarding the efficacy of the technical and organisational measures to ensure the safety of the data processing.

2. Authorised Personnel.

The Data Processor shall appoint those members of their workforce (hereinafter, the “Authorised Personnel”) who shall participate in the rendering of the Services, assuring that such persons shall be the only ones authorised to access the Personal Data subject matter to the process on requested by the Data Controller.

The Data Processor ensures that the authorised personnel acknowledge the security and confidentiality obligations arising from the aplicable Privacy law which they must comply with and that they have provided all the instructions necessary for such compliance.

The Data Processor shall, always, monitor the compliance with all the instructions provided by the Data Controller in connection with the processing of Personal Data, and shall verify the fulfilment of the established procedures by the Authorised Personnel to guarantee the quality, update, and safety of the Personal Data, as well as the compliance with the applicable regulations.

3. Details and purpose of the Personal Data processing.

The purpose of the Personal Data processing by the Data Processor is to facilitate payment transactions on behalf of and at the direction of the Data Controller.

If the Data Processor considers that the Personal Data processing subject matter hereof or the instructions provided by the Data Controller violates in any way whatsoever the provisions set forth by the prevailing legislation on such matters, they shall immediately inform the Data Controller.

The means used by the Data Processor to carry out the processing requested by the Data Controller shall be as follows:

Means of processing:

Means of processing:
X Computational Physical Mixed

For the performance of the subject matter hereof, the Data Controller shall provide access to the following information to the Data Processor:

Categories of the interested parties

– Persons who use the payments services provided by the Data Processor.

Typology of data processed

– Identification data (name, surname, contact email, domicile)

– Place of residence

– Date of Birth

– Nationality

The information described herein may and shall, from time to time, be adapted to the reality of the Data Processing. Any amendment to the processing shall always require prior written agreement between the parties.

4. Security measures.

The Data Processor shall take all the security and organisational measures necessary to guarantee the protection of the Personal Data for which the Data Controller is responsible.

The Data Processor shall adopt mechanisms to:

  • a) Ensure the permanent confidentiality, integrity, availability, and resilience relevant to the systems and services of Personal Data processing.
  • b) Quickly recover the availability and the access to Personal Data, in the event of a physical or technical incident.
  • c) Regularly verify, evaluate, and assess the efficacy of the technical and organisational measures adopted to ensure the safety of the Personal Data processing.
  • d) Pseudonymise and encrypt the Personal Data, where possible and appropriate.

5. International transfers.

The Data Controller agrees that the Data Processor may transfer personal data to any country, provided all transfers by the Data Processor of personal data shall be effected by way of Appropriate Safeguards and in accordance with Applicable Privacy Law, such as:

  • a) Standard contractual clauses approved by the controlling authority having proper jurisdiction.
  • b) Conduct Codes or other certification mechanisms approved by the controlling authority having proper jurisdiction.
  • c) Binding Corporate Regulations approved by a controlling authority having proper jurisdiction.

6. Subcontracting.

The Data Controller grants to the Data Processor specific authorization to appoint the Sub-Processors listed in Addenda I, in connection with Data Processor performance of the Services.

The Data Controller grants to the Data Processor general authorization to appoint additional or replacement Sub-Processors for the Data Processor performance of the Services, provided that the Data Processor provides advanced notice of its intention to appoint each Sub-Processor.

In the event of authorised Subcontracting, the Data Processor shall:

  • a) Take all measures necessary to verify and assure the Data Controller that the Sub-Processor is capable of rendering the service with maximum guarantees, offering an equal level of protection of the Personal Data to that offered by the Data Processor.
  • b) Ensure the execution of a contract between the Data Processor and the Sub-Processor, with the same guarantees as for the Processing subject matter hereof.
  • c) In the event of any uncertainty about the security measures adopted by the Sub-Processor in connection with the required Processing, the Data Processor shall communicate this to the Data Controller in order to verify if said measures conform to the minimum requirements demanded by the Company.
  • d) Explicitly prohibit the Sub-Processor to likewise subcontract the requested service either wholly or in part, without prior written authorisation from the Data Controller.

7. Communications.

For the purposes of facilitating the fulfilment of the obligations arising from these terms, the parties provide their contact details established in the Terms and Conditions.

8. Information and collaboration.

The Data Processor shall store, and put at the disposal of the Data Controller, all the necessary information in order to prove the compliance with their obligations, and for the performance of the audits or inspections that the Data Controller or other auditor authorised by them may carry out.

9. Rights of the Interested Parties.

The Data Processor shall communicate to the Data Controller when the interested parties exercised their rights of access, rectification, cancellation/deletion, objection, restriction of the processing or portability.

In light of the above, the Data Processor shall:

  • a) Report promptly and in no event later than forty-eight (48) hours after the receipt of any request for the exercise of rights by any interested party, as well as any complaint or grievance relevant to the processing of Personal Data.
  • b) Provide full assistance in connection with said exercise of all rights, complaints, or grievances, so that the Data Controller may address them with the necessary diligence and accuracy.
  • c) Ascertain that no member of the workforce, or in no event, any Sub-Processor, answers to the interested party without prior express notification in writing by the Data Controller, and where applicable, following the instructions established herein. Where compulsory for the Data Processor, pursuant to the applicable legislation, to answer to the interested party request, they shall communicate to the Data Controller such legal obligation before providing any answer whatsoever, except if prevented by such legislation.
  • d) Keep a record of all complaints, grievances, or requests for exercise of rights by the Interested party, including a copy of the request, the measures adopted to answer to said request and any other communication held with the Interested party in connection with the alluded request.

10. Security violations.

The Data Processor shall inform immediately the Data Controller about any security breach that affects or may affect in any way whatsoever the Personal Data under the responsibility of the Data Controller.

This notification shall include, in any event, the information relevant to:

  • a) The nature or type of security breach suffered, as well as the way in which it may have affected the Personal Data of the Data Controller.
  • b) The details of the measures adopted by the Data Processor, or their proposals of measures to be adopted, in order to prevent such security breach from re-occurring and to prevent any other type of breach, whether similar or not, as long as possible.
  • c) A proposal of measures to be adopted by the Data Controller, where possible, to mitigate the effects of the security breach suffered by the Data Processor, as well as, where applicable, those technical or organisational measures that the Data Controller may adopt to prevent future security violations.

Furthermore, the Data Processor shall collaborate with the Data Controller to assist them in the investigation and repair of any security breach whatsoever.

11. Collaboration with the obligation of compliance of the Data Controller.

The Data Processor shall collaborate with the Data Controller to ensure and demonstrate the compliance with the prevailing legislation on Personal Data protection by the Data Controller, and especially but not limited to:

  • a) Assisting in the answer to the exercise of rights requested by interested parties.
  • b) Collaborating in the maintaining of the Record of processing activities held by the Data Controller, where applicable.
  • c) Actively participating and providing as much help or information as needed to determine the causes, risks, consequences, and impact related to any security breach whatsoever, collaborating where necessary with the Controlling Authority with proper jurisdiction.
  • d) Drawing up or collaborating with the undertaking of all necessary impact evaluations in connection with the processing of Personal Data related to the Services.
  • e) Providing the Data Controller all support necessary for the compliance with any Codes of Conduct relevant to the Services, as well as where applicable, to obtain all appropriate certifications whatsoever that the Data Controller may have an interest in obtaining.

12. Rights of auditing.

The Data Processor shall put at the disposal of the Data Controller all necessary or relevant information in connection with the processing of Personal Data requested, to allow the Data Controller to demonstrate the compliance with the regulations.

13. Termination of the Agreement.

Once the services have been rendered, the Personal Data shall be destroyed or returned to the Data Controller, at their discretion, and the Data Processor shall not keep any copy of such data whatsoever, except to comply with legal obligations contracted by virtue of the provision of services.

If the Data Controller selected the return, the Data shall be restored through systems that may include protocols to ensure the confidentiality of the data (FTPS/SSL or equivalent) and in a format of widespread use or executable with standard software. In the event of non-automated filing systems, the Data Processor shall ensure the confidentiality of the chain of custody or delivery.

If the Data Controller opts for the destruction of the Data, the Data Processor shall ensure that this process is carried out in a confidential way and that said Data, once destroyed, be irrecoverable, undertaking the responsibility to issue all relevant certificates to prove the confidential destruction of such Data.

ADENDA I – LIST OF SUB-PROCESSORS

Third-party sub-processors

Entity name Entity location Nature and purpose of the processing
LexisNexis Risk Solutions FL Inc. United States Anti-Money Laundering SaaS
Cybersource Corporation United States Risk management and fraud mitigation services
Microsoft Corporation United States Service hosting, data storing and operations and administrative management SaaS
Atlassian Pty Ltd United States  Project management SaaS
IVXS UK Ltd “ComplyAdvantage” United Kingdom Anti-Money Laundering and fraud SaaS

Payretailers Group sub-processors

Entity name Entity location Nature and purpose of the processing
Payretailers Group S.L.U Spain Legal, economic, administrative, commercial, and industrial consultancy
Payretailers Technologies S.L.U Spain Services related to information technology.
Payretailers Latam Holdings S.L Spain Financial advice; services related to information technology; legal, economic, administrative, commercial and industrial consultancy.

Last update: February 2023