A&B GENERAL LIMITED DATA PROTECTION ADDENDUM RELATING TO THE PARTIES’ OBLIGATIONS UNDER THE GENERAL DATA PROTECTION REGULATION EU 2016/679 (“GDPR”) 1. Scope and Applicability 1.1 This Data Protection Addendum (“Addendum”) supplements the Payment Gateway Terms and Conditions (“Agreement”) between the parties. Any provision of the Agreement that is incompatible with this Addendum or with applicable requirements of the GDPR shall be deemed null and void. The provisions of this Addendum shall replace Section 13 of the Agreement and supersede any other conflicting provisions of the Agreement. 1.2 Part A applies in situations where we act as a processor for you and Part B applies in situations where we act as a controller, in each case, in relation to Personal Data that is exchanged between the parties concerning Customers and other data subjects. 1.3 Capitalised terms not defined in the Agreement that are used in this Addendum shall have the meaning set out in Part C. Part A: Our obligations as a processor 2. Our obligations as processor 2.1 We will act only on documented instructions from you (including in respect of any transfers of Personal Data outside the EU/EEA) unless the instructions require material changes to the Agreement. 2.2 We shall ensure that all persons authorised to process Personal Data on your behalf in relation to the Services have committed themselves to confidentiality in respect of the data. 2.3 We shall assist you, as far as is possible, in fulfilling your obligation to respond to the requests of data subjects seeking to exercise their rights under the GDPR, in so far as they relate to the provision of the Services. 2.4 To ensure the security of the Personal Data that we process on your behalf, and to safeguard the rights of data subjects, we have put in place and will maintain technical and organisational measures appropriate to the risks associated with the Services. 2.5 On receiving a written request, we shall assist you in meeting your GDPR obligations in relation to the following:(a) the security of the processing of Personal Data in relation to the Services; (b) the notification of Personal Data breaches where required; and (c) the conduct of data protection impact assessments, where necessary. 2.6 Upon termination of the Agreement and your request, we shall either delete or return all Personal Data to you, unless we are legally obliged to keep such data. 2.7 Upon request, we shall provide you with information necessary to demonstrate our compliance with the obligations set out in this Section 2, and shall allow for and contribute to audits, including inspections, conducted by you in relation to the processing activities connected to the provision of the Services. Your right to audit will be limited to once in any twelve-month period, and limited in time to a maximum of two (2) business days and scope, as reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. We will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit, unless such audit reveals a breach by us (as independently verified by us), in which case we shall bear our own expenses of audit. If an audit determines that we have breached our obligations under the Agreement, we will promptly remedy the breach at our own cost. 2.7 We will promptly inform you if we become aware of any suspected or confirmed Personal Data Breach involving Customer Personal Data. 2.8 We shall immediately inform you if an instruction relating to Section 2.7 would, in our sole discretion, infringe the GDPR or other Data Protection Laws of the EU or an EU Member State having jurisdiction over the Agreement. 2.9 We shall not engage any subprocessors to assist in providing the Services, unless we have :(a) entered into a written contract with the subprocessor that obligates the subprocessor to comply with all relevant obligations applicable to us under this Section 2; and (b) obtained prior written authorisation from you. 2.10 A list of our existing subprocessors, their roles, and the location of the processing carried out by them is set out in the Schedule to this Addendum. By entering into this Addendum, you agree that we may use these subprocessors for the purposes of providing the Services. 2.11 We will notify you in advance of any changes to the list of subprocessors. 2.12 Subprocessors will have the same obligations as we do as a processor (or subprocessor) with regards to their processing of Personal Data. Part B: Obligations of the parties when we act as a data controller in relation to you 3. Compliance with the GDPR 3.1 The parties acknowledge that each is an independent controller of the Personal Data that it collects and processes in relation to activities that are necessary for carrying out the contractual relationship between them. This Personal Data includes, for example, the business contact data of each party’s employees and other stakeholders exchanged for the purposes of entering into the Agreement, sending promotional material and managing the business relationship. 3.2 Our Privacy Notice can be found at securetrading.com 4. Mutual Cooperation 4.1 The parties shall cooperate with one another, upon reasonable request, in relation to compliance with the provisions of the GDPR relating to the provision of the Services, including with regard to responses to data subject requests for the exercise of their rights under the GDPR and any information requests, investigations, complaints or other actions of a national data protection supervisory authority. 4.2 Where each party is acting as a controller, each party shall notify the other of any incident that involves a Personal Data Breach that relates to the provision of the Services without undue delay. The notification should describe the incident, the type of Personal Data involved, the identity of any affected persons or the approximate number of individuals affected, the potential consequences of a breach, and any immediate mitigation steps required or in progress. Part C: Definitions (a) “Data Protection Law(s)” shall mean the Data Protection Act 1998 (the “DPA”), the Data Protection Directive (95/46/EC), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended), the General Data Protection Regulation (2016/679) and all applicable laws and regulations relating to Personal Data and privacy which are enacted from time to time in any relevant jurisdiction, including (where applicable) the guidance and codes of practice issued by the Information Commissioner’s Office and any other competent authority, and the equivalent of any of the foregoing in any relevant jurisdiction. Where the term Laws in used in the Agreement, it shall be construed to include the Data Protection Laws. (b) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as applied, modified, added to, limited, widened, substituted, replaced or repealed by UK law or regulation (and references to any Article or provision of the Regulation shall be interpreted accordingly). (c) “Personal Data” shall mean any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (including special categories of Personal Data listed in Article 9(1) of GDPR). (d) “Personal Data Breach” shall mean accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data. 4.3 The terms "controller", "processor", "data subject" and "processing" shall have the meanings given to such terms in the GDPR, except where and to the extent that the context requires otherwise. 5. Liability 5.1 Subject to clause 6 of the Agreement, we shall only be liable for damage caused by processing where we have not complied with our obligations under Clause 2 of this Addendum or where we have acted outside or contrary to lawful and agreed instructions from you. SCHEDULE TO ADDENDUMThis list identifies the subprocessors authorised to access Personal Data used by our systems. Sub processors are permitted to process Personal Data to deliver the services we have retained them to provide. They are prohibited from using Personal Data for any other purpose. Subcontractor Location Function(s) Performed ACI United Kingdom / United States of America Cardholder Fraud Monitoring Allied Irish Bank Ireland Transaction Processing and Settlement Alipay China Transaction Processing and Settlement Amazon Ireland / United Kingdom Operations and Service Maintenance American Express United Kingdom Transaction Processing and Settlement Australia and New Zealand Banking Australia Transaction Processing and Settlement Apple Inc United States of America Transaction Processing and Settlement Atlassian United States of America / Ireland Operations and Service Maintenance ATOS United Kingdom Transaction Processing and Settlement Barclays United Kingdom Transaction Processing and Settlement Catella Luxembourg Transaction Processing and Settlement Chase Bank United States of America Transaction Processing and Settlement Cloudflare United States of America Content Delivery Network Compass United States of America Transaction Processing and Settlement Currency Select United States of America Exchange Rate Processing Datawire Australia Transaction Processing Elavon United States of America Transaction Processing and Settlement Finastra Ireland Operations and Service Maintenance First Data United Kingdom Transaction Processing and Settlement Fexco United Kingdom Exchange Rate Processing Funanga Ireland Transaction Processing and Settlement G4S Germany Operations and Service Maintenance HSBC United Kingdom Transaction Processing and Settlement JetPay United States of America Transaction Processing and Settlement Omnipay Ireland Transaction Processing and Settlement PPro United Kingdom Transaction Processing and Settlement Mastercard United Kingdom / United States of America / Europe Cardholder Fraud Monitoring Transaction Processing Microsoft United States of America / Ireland Operations and Service Maintenance Millennium Digital United States of America Transaction Processing and Settlement PayPal United States of America Transaction Processing and Settlement Paysafe Germany Transaction Processing and Settlement Salesforce United States of America Operations and Service Maintenance Customer and Technical Support Streamline United Kingdom Transaction Processing and Settlement The Access Group United Kingdom Operations and Service Maintenance Vantiv United States of America Transaction Processing and Settlement Visa Europe / United States of America Transaction Processing Notice and DisclaimerThis Schedule is subject to change at any time. Last updated: 24th May 2018