Version effective as from 15th of January, 2020
1.1. These Data Processing Terms (the “Data Processing Terms”) are applicable where the Bank according to the Service Agreement is acting as personal data processor on behalf of the Company.
1.2. The following document sets out terms and conditions for the Processing of Company Personal Data by the Bank.
1.3. The issues, which are not regulated in these Data Processing Terms, shall be resolved by the Parties according to Luminor General Business Terms.
2.1. In the Data Processing Terms, the following terms shall have the following meaning:
2.1.1. "Appropriate Technical and Organisational Measures" means processes and procedures such that having regard to the state of technological development and the cost of implementation, and the nature of Company Personal Data, will ensure a level of security appropriate to the harm that might result from unauthorised or unlawful Processing of, or accidental loss or destruction of, or damage to, Company Personal Data.
2.1.2. “Company” means a Customer – legal entity – who has entered into a Service Agreement with the Bank and whereby the Bank pursuant to respective Service Agreement is acting as personal data processor on behalf of said Customer.
2.1.3. "Company Personal Data" means any Personal Data Processed by the Bank on behalf of the Company pursuant to or in connection with the Service Agreement.
2.1.4. "Data Protection Laws" means GDPR and laws implementing or supplementing the GDPR as amended, replaced or superseded from time to time; any enforceable guidance and codes of practice issued by any local or EU regulatory authority responsible for administering Data Protection Laws.
2.1.5. "GDPR" means EU General Data Protection Regulation 2016/679.
2.1.6. "Subprocessor" means any person appointed by or on behalf of the Bank to process Personal Data on behalf of the Company in connection with the Service Agreement.
2.1.7. The terms "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.2. The capitalized terms, which are not defined in these Data Processing Terms, are defined in Luminor General Business Terms.
3.1. When processing Company Personal Data the Bank shall:
3.1.1. process the Company Personal Data in compliance with the Data Protection Laws;
3.1.2. process the Company Personal Data only to the extent, and in such manner, as is necessary for the purposes of providing the Services pursuant to the Service Agreement and/or other Service Agreements concluded between the Parties, unless Processing is required by the Applicable Law, in which case Bank shall inform the Company of that legal requirement before the relevant Processing of that Personal Data unless prohibited by the Applicable Law;
3.1.3. keep the Company Personal Data strictly confidential and not use or disclose it for any purpose other than the specific activities authorised pursuant to the Data Processing Terms and/or the respective Service Agreement;
3.1.4. take Appropriate Technical and Organisational Measures against unauthorised or unlawful Processing, accidental loss or destruction of or damage to the Company Personal Data;
3.1.5. delete Company Personal Data after expiry of the data storage term provided in these Data Processing Terms.
4.1. Details of the Processing of Company Personal Data as required by Article 28(3) of GDPR are as follows:
4.1.1. Subject matter of Processing: the provision of the Services to the Company by the Bank under the Service Agreement through Bank’s Processing of Company Personal Data;
4.1.2. Duration of the Processing: for the duration of the Service Agreement, provided, however, that Company Personal Data provided to the Bank may be stored for 10 years following payment transaction;
4.1.3. Nature and purpose of Processing: to enable Bank to provide Company with the Services and to facilitate Company’s provision of the services to the Company’s clients;
4.1.4. Categories of Data Subjects: Company’s clients, their employees, representatives, contact persons and any other persons whose Personal Data is provided to the Bank by the Company through Company’s use of the Services;
4.1.5. Type of Personal Data: all Personal Data of Data Subjects provided in Clause 4.1.4 above, that are requested by the Company from the Data Subjects through Company’s use of the Services (including, but not limited to name, surname, address, payment amount, payment details, e-mail address, phone number).
5.1. The Company shall ensure that all Data Subjects of the Company Personal Data are provided with all appropriate notices and information regarding Data Processing as required by Data Protection Laws and shall establish and maintain the necessary legal grounds for transferring the Company Personal Data to the Bank and allowing the Bank to perform the Processing contemplated hereunder.
5.2. The Company has sole responsibility to ensure that Personal Data transferred to the Bank for the Processing is adequate, relevant and limited to what is necessary in relation to the use of the Services. In any case, the Company shall avoid collecting any special categories Personal Data.
5.3. Personal Data transfer to the Bank shall be regarded as Company’s instruction to carry out its Processing on behalf of the Company. The Bank shall not be responsible for any content of the Personal Data Company transfers to the Bank through use of Service or minimisation of the Personal Data.
6.1. By entering into the Service Agreement, the Company provides to the Bank general authorisation to engage Subprocessors. Engagement of the Subprocessors is on the condition that Bank remains fully liable to the Company for the Subprocessors’s performance, as well as for any acts or omissions of the Subprocessors regarding Processing of Company Personal Data.
6.2. The Bank shall inform the Company of any intended changes concerning the addition or replacement of Subprocessors by making the respective information available on Bank's website (under section “Processing of Personal Data”). If the Company does not agree to the amendments mentioned in this Clause, the Company is entitled to withdraw unilaterally from the Service Agreement under which the Bank performs Processing of Company Personal Data, according to the procedure set forth in the Service Agreement.
6.3. Where the Bank sub-process any of its obligations, the Bank shall remain Company's sole point of contact for all matters falling within the scope of the Data Processing Terms, and shall procure that relevant Subprocessor complies with and is bound by the requirements of the Data Processing Terms as they apply to the Bank.
6.4. Bank shall procure that all Subprocessors used by it in the provision of the Services from time to time execute a confidentiality undertaking on terms that are substantially the same as (and no less onerous than) those set out in the Data Processing Terms.
7.1. The Bank shall ensure that access to the Company Personal Data is limited to:
7.1.1. duly authorized officers, employees, agents and contractors (“Bank’s Personnel”) who need access to the Company Personal Data to meet the Bank’s obligations under the Service Agreement, the Data Processing Terms and/or the Applicable Law and
7.1.2. such part or parts of the Company Personal Data as is strictly necessary for performance of the relevant Bank’s obligations.
7.1.3. The Bank shall ensure that all Bank’s Personnel:
7.1.4. are informed of the confidential nature of Personal Data;
7.1.5. have undertaken training in the care, protection and handling of Personal Data; and
7.1.6. are aware of the Bank’s obligations under the Data Protection Laws and the Data Processing Terms.
8.1. The Bank shall transfer Company Personal Data to any country outside European Economic Area or make Company Personal Data accessible from any such country subject to the terms of a data transfer agreement, which will contain standard controller – processor contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC) or any other similar contractual clauses as may be adopted by the European Commission from time to time (‘EU Model Clauses’).
8.2. As an alternative to entering into the EU Model Clauses, the Bank may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data to country outside the European Economic Area, provided that such safeguard is in compliance with Data Protection Laws.
9.1. Bank shall without undue delay inform Company if it becomes aware that a Personal Data Breach has occurred.
9.2. In case of a Personal Data Breach, Bank shall take adequate remedial measures as soon as possible including notifying Company, investigating and reporting to Company on the cause of the breach, including proposed corrective actions.
9.3. The Bank shall provide the following information about the Personal Data Breach:
9.3.1. the date and time that the Personal Data Breach presumably occurred;
9.3.2. description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
9.3.3. name and contact details of the data protection officer or other contact point where more information can be obtained;
9.3.4. description of the likely consequences of the Personal Data Breach;
9.3.5. description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.4. The Bank shall not have an obligation to notify any regulatory body and/or Data Subjects on Personal Data Breach, provided, however, that the Bank shall at request of the Company co-operate in adequately informing the impacted Data Subjects.
10.1. Bank shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which are mandatory to the Company according to Article 35 or 36 of the GDPR. Where necessary, Bank shall provide reasonable assistance to Company in complying with any information request and/or enquiry, investigation or assessment of Processing initiated by the Company’s client or any relevant public authority. Unless otherwise agreed, the Bank shall have the right to invoice the Company any costs resulting from the above assistance.
10.2. Assistance according to the Clause 10.1 shall be provided in each case solely in relation to Processing of Company Personal Data by the Bank and taking into account the nature of the Processing and information available to the Bank.
10.3. The Bank makes available to the Company information reasonably necessary to demonstrate compliance with the obligations laid down in the Data Processing Terms and allow for and contribute to audits, including inspections, conducted by the Company at Company’s sole cost. Such audits and inspections shall be performed by third party information security professionals (auditors) at Bank’s selection. To request an audit, the Company must submit an audit plan at least four weeks in advance of the proposed audit date to the Bank, describing the proposed scope, duration, and start date of the audit. Audits must be conducted during regular Bank’s business hours and may not unreasonably interfere with the Bank’s business activities. The Bank may require the Company or its authorised representatives (auditors) to enter into the non – disclosure undertaking before carrying out audits and inspections. Company shall be entitled to conduct audits and inspections in accordance with this Clause no more than once per annum at a mutually agreed time.
10.4. The audit and access rights set out in Clause 10.3 cannot be applied to information processed by the Bank as a data controller for its own purposes with an appropriate legal ground or containing information about the Bank’s clients, their accounts, deposits and transactions the secret of which is the Bank’s obligation to guarantee in accordance with the Applicable Law.
11.1. The Bank may amend the Data Processing Terms unilaterally at any time. The Bank shall inform the Company about such amendments at least 14 (fourteen) days before the day when the respective amendments come into effect.