Data Processing

Reference is made to the agreement (“Agreement“) between (1) Clear Junction and (2) the Client for the provision of Payment Services. This data processing addendum (“DPA“) is incorporated by reference into the Agreement.

Where Clear Junction and a Client have confirmed in such Agreement that they agree that the Client shall be the Controller and Clear Junction shall be the Processor in respect of any Personal Data which is received from or on behalf of the Client by Clear Junction in connection with that Agreement (“Client’s Personal Data“). All such processing shall be undertaken in accordance with this DPA.

In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Personal Data.

For avoidance of doubt, terms not defined herein shall have the same meaning as they do in the Agreement.

Applicable Law means any and all applicable laws, legislation, bye-laws, decisions, notices, statutes, orders, rules (including any rules or decisions of court), regulations, directives, edicts, schemes, warrants, local government rules, statutory instruments or other delegated or subordinate legislation and any directions, codes of practice issued pursuant to any legislation, voluntary codes, other instruments made or to be made under any statute and codes of conduct and mandatory guidelines (including in all cases those that relate to audit, accounting or financial reporting) and which have legal effect, whether local, national, international or otherwise existing from time to time, together with any similar instrument having legal effect in the relevant circumstances applicable to each Party,
Clear Junction Group means the group of which Clear Junction is a part, consisting of its parent undertakings, its subsidiaries and the entities in which the parent undertaking or its subsidiaries hold a participation
Data Protection Laws means any applicable law relating to the processing, privacy, and use of personal data, as applicable to a Party in relation to this Agreement including: (i) the UK Data Protection Act 2018 and the UK GDPR; the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and, from the date of its becoming applicable, any legislation intended to replace the PECR and all Applicable Laws and regulations relating to the privacy, protection or processing of personal data, including where applicable guidance and codes of practice issued by the Information Commissioner and, as applicable, the equivalent of any of the foregoing in any relevant jurisdiction;;
(ii)         the UK General Data Protection Regulation (UK GDPR): the retained version of Regulation (EU) 2016/679 (“GDPR”) as it forms part of the law of the United Kingdom, by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419); and
(iii)         any guidance and/or codes of practice issued by any relevant supervisory authority, (to the extent that such codes of practice have legal effect in the UK) relating to data protection or the privacy of individuals, in each case as amended, supplemented or replaced from time to time. Data Controller, Processor, Sub-Processor Data Subject, Personal Data and Processing shall have the meanings given to those terms in Data Protection Laws (and related terms such as “process” shall have corresponding meanings);
EEA means the European Economic Area
Payment Services means the provision of a Payment Account and each of the Payment Options the Parties have agreed to provide;
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws
  1. Clear Junction confirms that
    1. the subject matter of the processing is as set out in the Agreement and the duration of the processing will be for
      1. as long as may be required for the purposes of providing the Payment Services and
      2. otherwise for as long as may be required by Applicable Law.
    2. the processing will be for the purposes of providing the Payment Services and as may be required by Applicable Law
    3. the category of Data Subjects will be individual Customers of the Client and beneficiaries of individual Customers of the Client
    4. the type of personal data will be
      1. General information relating to individuals such as Name, Address, Telephone number, Credit Rating, NI number, Passport number and Date of birth; and
      2. Financial information relating to individuals such as Customer Account No, Beneficiary Account No, Account Balance and IBAN Details (combination of Sort Code and Account No)

      in each case all as more fully described in Clear Junction’s privacy policy, as amended from time to time.

  1. The Client warrants, represents and undertakes to Clear Junction, that (to the extent Data Protection Laws are applicable to data that Client sends to Clear Junction hereunder for processing):
    1. all data sourced or provided by the Client for use in connection with the Payment Services shall comply in all respects with Data Protection Laws, including in terms of its collection, storage and processing;
    2. the Client has provided all of the required fair processing information to, and has obtained all necessary consents from, Data Subjects, or otherwise has satisfied itself that it has a lawful basis under Data Protection Laws, in order for the use of the Client’s Personal Data by Clear Junction, including the transfer of the Client’s Personal Data to International Recipients (as per the definition in clause 10) pursuant to clause 1.10, to the extent reasonably required in order to provide the Payment Services, and such other uses as may be required by Applicable Law; and
    3. all instructions given by the Client to Clear Junction in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
  2. Where Clear Junction processes Client’s Personal Data on behalf of the Client, unless required to do otherwise by Applicable Law, Clear Junction shall process the Client’s Personal Data only on and in accordance with the Client’s documented instructions contained in this Data Processing Addendum, Clear Junction’s privacy policy (as amended from time to time) and the Agreement (“Processing Instructions“).
  3. Clear Junction shall implement and maintain appropriate technical and organisational measures in relation to the processing of Client’s Personal Data by Clear Junction so as to enable compliance with the requirements of Data Protection Laws:
  4. Clear Junction shall assist the Client in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to the Client’s Personal Data by ensuring that all Data Subject Requests it receives are recorded and then referred to the Client as soon as reasonably practical but in any event within 10 (ten) Business Days of receipt of the request.
  5. Client gives Clear Junction general authorisation to engage Sub-Processors without obtaining any further written, specific authorization from the Client, provided that Clear Junction notifies the Client in writing about the identity of any new potential Sub-Processor that is not a member of the Clear Junction Group. If the Client wishes to object to the relevant Sub- Processor, the Client shall give notice hereof in writing within 10 (ten) Business Days from receiving the notification from Client. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.
  6. Clear Junction shall use reasonable endeavours to appoint the Sub-Processor under a binding written contract which imposes materially the same data protection obligations as are contained in this Agreement on the Sub-Processor.
  7. Clear Junction shall take steps to ensure that all Clear Junction’s personnel processing the Client’s Personal Data are subject to an obligation with Clear Junction to keep the Client’s Personal Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Clear Junction shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).
  8. Clear Junction shall provide reasonable assistance, information and cooperation to the Client to ensure compliance with the Client’s obligations under Data Protection Laws with respect to: (i) security of processing; (ii) notification by the Client of breaches to the Supervisory Authority or Data Subjects; and (iii) data protection impact assessments required under Data Protection Laws and prior consultation with a Supervisory Authority regarding high risk processing, provided that in each case the Client shall pay Clear Junction’s reasonable costs for providing the assistance in this clause 9.
  9. The Client agrees that Clear Junction may transfer the Client’s Personal Data to third parties, including to countries outside the EEA or to any international organisation (an “International Recipient“), to the extent reasonably required in order to provide the Payment Services and otherwise as may be required by Applicable Law provided that Clear Junction shall use reasonable endeavours to ensure that any such transfer to an International Recipient (and any onwards transfer) is effected in a manner that complies with Data Protection Laws. Notwithstanding the foregoing if and to the extent the Client requests that Clear Junction sends any of the Client’s Personal Data to a third party, including a third party located outside the EEA, for the purposes of the Payment Services or otherwise in order to comply with Applicable Law, the Client will be deemed to have consented to such Sub-Processing . The provisions of this Agreement shall constitute the Client’s instructions with respect to such transfers.
  10. Clear Junction shall, at the Client’s written request, either securely delete or return all the Client’s Personal Data to the Client in within a reasonable time after the end of the provision of the relevant Payment Services related to processing or, if earlier, the processing by Clear Junction of any of the Client’s Personal Data is no longer required for Clear Junction’s performance of its obligations under this Agreement, and securely delete existing copies (unless storage of any data is required by Applicable Law, and if so Clear Junction shall notify the Client of this).
  11. Clear Junction reserves the right to temporarily suspend access to the Payment Account for technical, security or maintenance reasons, or as may be required from time to time to ensure compliance with Data Protection Laws or any other Applicable Law, without these operations entitling the Client to any compensation.

Version October 2022