These Data Processing Terms govern the processing by Speramus, Inc. (“Crew”) of your employees’ personal data with respect to your employees who reside in a Data Protection Legislation (as defined in Section 1 of these Data Processing Terms) relevant jurisdiction. Effective upon your use of any of the Services (as defined in the General Terms), you accept and agree to be bound by these Data Processing Terms with respect to your employees residing in a Data Protection Legislation relevant jurisdiction. If you are using the Services on behalf of a business, you agree that you are accepting these Data Processing Terms and have authority to enter into these Data Processing Terms, on behalf of that business.
For purposes of these Data Processing Terms, “data controller”, “data processor”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the applicable Data Protection Legislation of a relevant jurisdiction. All other defined terms have the same meaning as those found in the General Terms, unless otherwise defined herein.
Square Europe, Square International, and their affiliates, including Crew, are subject to European Directive 2002/58/EC (the “e-Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”, and together with the e-Privacy Directive and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, re-enacts or consolidates GDPR and/or the e-Privacy Directive, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities, “Data Protection Legislation”), because, in the course of providing you Services, they access information (“Personal Data”) relating to identified or identifiable natural persons residing in a Data Protection Legislation relevant jurisdiction (“Data Subjects”). For purposes of these Data Processing Terms, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
When Crew accesses the Personal Data of your Data Subjects in the course of providing you Services, Crew and its affiliates are data processors under the applicable Data Protection Legislation of relevant jurisdiction.
Subject-matter of processing. Crew will process your Data Subjects’ Personal Data in order to allow Crew to provide the Services and as described in the General Terms and Additional Terms, including the Privacy Policy.
Nature and purpose of processing. Crew will process your Data Subjects’ Personal Data in order to carry out the Services.
The Personal Data we may process relates to the following categories of Data:
Types of Personal Data. The Personal Data we process comprises the categories of data described in our Privacy Notice.
Term of Crew’s processing. Crew will process your Data Subjects’ Personal Data during the term of the General Terms.
You accept and agree that Crew and its affiliates are processors when Crew accesses Personal Data pertaining to your Data Subjects in the course of providing the Services.
You authorize Crew to use sub-processors, provided that:
You appoint Crew as your agent to sign Standard Contractual Clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission decision of 5 February 2010, published under document number C(2010) 593 2010/87/EU (the “Standard Contractual Clauses”) between you and sub-processors established in third countries that process personal data on your behalf. For a copy of Crew’s Standard Contractual Clauses, please contact privacy@squareup.com.
The obligations contained in this Section 3 will not be applicable when Crew acts as a data controller.
When Crew processes Personal Data in the course of providing the Services, Crew will:
The obligations contained in this Section 4 will not be applicable when Crew acts as a data controller.
In the event of any suspected destruction, loss, alteration, or disclosure of, or access to the Personal Data that the Data Processor processes or is responsible for processing in the course of providing the Services, whether accidental, unauthorized or unlawful (each such event, a “Security Breach”), Crew will take action to investigate the suspected Security Breach and to identify, prevent, and mitigate the effects of the suspected Security Breach and to remedy the Security Breach. Crew will notify you of any Security Breach without undue delay.
In the event of any conflict or inconsistency between the provisions of these Data Processing Terms, the General Terms, or any other Additional Terms, these Data Processing Terms shall prevail in relation to the subject matter of the Data Protection Legislation.