You can find the amended PayPal User Agreement below the version of that agreement currently in force by clicking here or accessing it via the “Legal” or “Legal Agreements” footer on most PayPal site pages.
1. Control and protection of personal data
When you use PayPal’s services to receive payments from your customers, both you and PayPal will be using the personal data of those customers. We have amended section 5.7 to outline PayPal’s and your agreed respective positions at law (and your obligations) regarding the use of personal data of your customers and other individuals in connection with your use of PayPal’s services. Section 5.7 now reads as follows (with added wording underlined):
“5.7 Your Refund Policy, Data Protection, Privacy Policy and Security. We recommend that if you are selling goods or services you have a published return policy and a published privacy policy on your website.
Your privacy policy must clearly and expressly indicate that all PayPal transactions are subject to the PayPal Privacy Policy. You must employ reasonable administrative, technical and physical measures to maintain the security and confidentiality of any and all PayPal data and information, including data and information about PayPal users and PayPal.
Compliance with Data Protection Laws. With regard to any personal data processed by PayPal and the merchant in connection with this Agreement, PayPal and the merchant will respectively each be a controller in respect of such processing. PayPal and the merchant agree to comply with the requirements of the Data Protection Laws applicable to controllers in respect of the provision of their respective services and otherwise in connection with this Agreement. For the avoidance of doubt, PayPal and the merchant each have their own, independently determined privacy policies, notices and procedures for the personal data they hold and are each a data controller (and not joint data controllers). In complying with the Data Protection Laws, PayPal and the merchant shall, without limitation:
- a. implement and maintain at all times all appropriate security measures in relation to the processing of personal data;
- b. maintain a record of all processing activities carried out under this Agreement; and
- c. not knowingly do anything or permit anything to be done which might lead to a breach by the other party of the Data Protection Laws.
In addition to our rights under section 10.2, where we determine that there has been or that there is a reasonable likelihood of a security breach of your website or systems that could result in the unauthorised disclosure of customer information, we may take any other actions we deem necessary and/or require you to provide us with information related to any such breach.”