Annex to Luminor e-Commerce Gateway Agreement

1. Overview

These Data Processing Terms apply only if the Bank processes the personal data received from the Merchant as the data processor upon the performance of the e-Commerce Gateway Agreement (hereinafter: the Gateway Agreement).

2. Definitions

The terms used in the Data Processing Terms have the meaning specified below.

Sub-processor means a person who processes the Personal Data received from the Merchant instead of the Bank, i.e. the data processor, on the basis of the Gateway Agreement.

Data Processing Requirements means

  • the General Data Protection Regulation, i.e. the GDPR, and its implementing and additional acts with any corrections, amendments and replacements;
  • any other guidelines issued by a local or European Union agency responsible for Personal Data protection.

Appropriate Technical and Organisational Measures means the measures that, considering technological development, the cost of implementation and the Personal Data received from the Merchant, guarantee the security that corresponds to the size of the risk arising from the possible unauthorised and unlawful processing, loss and destruction of and damage to Personal Data. These measures cover any additional measures about which the Merchant informs the Bank in writing from time to time and in which the parties have reasonably agreed.

GDPR means the General Data Protection Regulation (2016/679).

Personal Data Received from Merchant means the Personal Data that the Bank processes on the basis of or in relation to an agreement on behalf of the Merchant.

Merchant means the person who has entered into the Gateway Agreement with the Bank, during the performance of which the Bank processes the Personal Data received from the Merchant.

Bank means Luminor Bank AS (registry code 10237140.)

The terms Data Subject, Personal Data, Personal Data Breach and Personal Data Processing have the same meaning in these Terms that they have in the GDPR.

The terms used that have not been defined in these Terms are defined in the General Terms and Conditions of Luminor.

Processing of Personal Data Received from Merchant

2.1. The Bank
2.1.1. processes the Personal Data received from the Merchant in accordance with the data protection requirements and only to the extent and in the manner necessary for the provision of the services determined in the Gateway Agreement or other agreements made between the parties. An exception is made if different processing is required by legislation: in this case, the Bank will inform the Merchant about this legal claim before it starts processing the Personal Data (if informing in such a manner is not prohibited by legislation);
2.1.2. keeps the Personal Data received from the Merchant confidential and uses and discloses them only for the purposes determined in the Data Processing Terms or the Gateway Agreement;
2.1.3. takes the appropriate technical and organisational measures to prevent the unauthorised and unlawful processing of the Personal Data Received from Merchant and the loss and destruction of and damage to the Personal Data;
2.1.4. deletes the Personal Data Received from Merchant when the storage period specified in the Data Protection Terms expires.

3. Details of Processing

3.1. Based on Article 28(3) of the GDPR, the Bank proceeds from the following details when processing Personal Data Received from Merchant:
3.1.1. topic of processing: Personal Data Received from Merchant necessary for the provision of banking services to the Merchant on the basis of the Gateway Agreement;
3.1.2. duration of processing: the term of the Gateway Agreement (the Bank will retain the Personal Data for ten years after the conclusion of the payment transaction);
3.1.3. nature and purpose of processing: the need to provide banking services to the Merchant and make serving clients easier for the Merchant;
3.1.4. categories of Data Subjects: the Merchant’s clients, employees, representatives, contact persons and all other persons whose Personal Data the Merchant transmits to the Bank during the use of the Bank’s services;
3.1.5. type of Personal Data: all of the Personal Data of the Data Subjects specified in clause 3.1.4, which the Data Subjects give to the Merchant during the use of the services (such as the first name and surname, address, payment amount, payment data, e-mail address, telephone number).

4. Obligations of Merchant

4.1. The Merchant
4.1.1. sends all of the information concerning data processing to the Data Subjects related to the Personal Data received from them according to data protection requirements;
4.1.2. prepares and retains the source documents that grant the right to transmit Personal Data to the Bank and permit the Bank to process these data;
4.1.3. transmits to the Bank Personal Data that are sufficient and appropriate, and only cover the information necessary for using the service. The Merchant avoids collecting Personal Data belonging to special categories.

4.2. The transmission of Personal Data to the Bank is regarded as the Merchant’s authorisation with which the latter gives the Bank an order to process Personal Data on behalf of the Merchant. The Bank is not liable for the content or the minimisation of the Personal Data received from the Merchant.

5. Sub-Processors

5.1. The Merchant grants the Bank the right to include sub-processors in the process, provided that the Bank is fully liable for the performance of the sub-processor and the activities and inactivity related to the processing of the Personal Data Received from Merchant.
5.2. The Bank informs the Merchant about all intended changing concerning the addition or replacement of a sub-processor under “Personal Data Processing” on the Bank’s website.
5.3. If the Merchant does not agree with the changes concerning the sub-processor, they have the right to cancel the Gateway Agreement on the basis of which the Bank processes the Personal Data Received from Merchant. The Merchant complies with the terms and conditions of the Gateway Agreement upon cancellation.
5.4. The Bank will remain the only contact person of the Merchant in all issues concerning the Data Processing Terms also if it delegates its obligations to a sub-processor. The Bank is also liable for the sub-processor’s compliance with the Data Processing Terms applicable to the Bank.
5.5. The Bank enters into a confidentiality agreement with each sub-processor, the terms and conditions of which are identical to these Data Processing Terms.

6. Access

6.1. The Bank gives access to the Personal Data Received from Merchant
6.1.1.     only to appropriately authorised officials, employees, agents and subcontractors (the Bank’s employees), who need access for the performance of the Bank’s obligations, which are determined in the terms and conditions of the Gateway Agreement, the Data Processing Terms and the relevant legislation;
6.1.2. only to the extent essential for the performance of the Bank’s obligations.

6.2. The Bank's employee
6.2.1. knows that Personal Data are confidential;
6.2.2. have passed training in Personal Data storage, protection and handling;
6.2.3. performs the Bank’s obligations specified in the data protection requirements and the Data Processing Terms.

7. Transmission Outside European Economic Area

7.1. The Bank may transmit the Personal Data Received from Merchant to countries outside the European Economic Area or make the Personal Data Received from Merchant accessible in such countries if the terms and conditions of the data transmission agreement applicable to such countries cover
7.1.1. the standard clauses of the agreement between the data controller and the data processor (given Commission Decision 2010/87/EC of 5 February 2010), and
7.1.2. other similar contractual clauses established by the European Commission from time to time (European Union standard clauses).

7.2. Instead of agreements based on European Union standard clauses, the Bank may also rely on other measures of transmission protection if they permit and enable transmission of data according to data protection requirements to countries outside the European Economic Area.

8. Reporting Personal Data Breaches

8.1. If the Bank becomes aware of breaches related to the Personal Data Received from Merchant, it will, as soon as soon as possible, take the appropriate measures that cover
8.1.1. informing the Merchant;
8.1.2. investigating the circumstances;
8.1.3. giving the Merchant information about the reasons of the breach; and
8.1.4. recommending and taking corrective action.

8.2. The Bank submits the following information concerning the Personal Data Breach:
8.2.1. the probably date and time of the breach;
8.2.2. the description of the breach, incl. the categories and approximate number of Data Subjects and the categories and approximate number of the related data media;
8.2.3. the name and contact details of the Bank’s data protection officer or another contact person for requesting further information;
8.2.4. the description of the possible consequences of the breach;
8.2.5. the description of the measures taken and to be taken to solve the reach, also the description of the measures that reduce the possible negative impact of the breach (if appropriate).

8.3. The Bank is not obliged to inform supervisory authorities and the Data Subjects about the breaches related to the Personal Data Received from Merchant, but at the request of the Merchant, it will cooperate with the Merchant in order to appropriately inform the affected Data Subjects.

9.  Assessment of Impact of Data Protection, Prior Consultation and Audit Rights

9.1. The Bank supports the Merchant to a reasonable extent in the assessment of the impact of data protection and consulting with a supervisory authority or another competent data protection authority, which is required from the Merchant by Articles (35) and (36) of the GDPR.

9.2. If necessary, the Bank will also assist the Merchant to a reasonable extent to ensure that the latter can implement appropriate measures in the case of an information request or inquiry of a client or the relevant state authority or an investigation or assessment concerning Personal Data processing.

9.3. Unless otherwise stipulated in the Gateway Agreement, the Bank has the right to submit an invoice to the Merchant for covering the expenses related to the assistance described in clauses 9.1 and 9.2.

9.4. The reasonable extent of assistance specified in clauses 9.1 and 9.2 depends on the nature of the processing of the Personal Data Received from Merchant and the information accessible to the Bank.

9.5. The Bank
9.5.1. allows the Merchant to use the information required to prove compliance with the Data Processing Terms;
9.5.2. allows and supports the audits organised by the Merchant, the expenses of which will be paid by the Merchant.

9.6. The audit organised by the Merchant is carried out by the third party information security specialists or auditors selected by the Bank.
9.6.1. In order to request an audit, the Merchant will submit the audit plan, which describes the planned extent, duration and start data of the audit, to the Bank at least four weeks before the planned start of the audit. The audit must be carried out during the ordinary business hours of the Bank and it may not unreasonably disturb the business activities of the Bank.
9.6.2. The Bank may demand from the Merchant or their authorised representative entry into a confidentiality agreement before the audit is conducted.
9.6.3. The Merchant organises an audit no more than once a year, at the time agreed with the Bank, and complies thereby with the terms and conditions herein.

9.7. The audit and access rights specified in clauses 9.5 and 9.6 cannot be implemented in the case of information
9.7.1. that the Bank processes as the data controller for its own purposes and on the appropriate legal grounds, and
9.7.2. that covers the data pertaining to the Bank’s clients (their accounts, deposits and transactions), which the Bank must keep secret pursuant to the relevant laws.

10.  Amendments

The Bank may amend the Data Processing Terms unilaterally at any time by notifying the Merchant thereof at least 15 days before the amendment enters into force.