This document constitutes the Data Processing Addendum between Rootline B.V. (“Rootline”) and the entity, sole proprietor or individual person acting as Client Merchant (“you” or “your”).
Rootline B.V. (Company No. 83218025) is a corporation, duly organized and existing under the laws of the Netherlands, with its legal address at Prinsengracht 449 A, 1016 HN Amsterdam, hereinafter referred to as “Rootline”.

Rootline provides online payment processing and collects payments for Client merchants, via a Partner Merchant’s Platform, from their customers (hereinafter also referred to as: “the Services”) and the following conditions apply;

1. Client Merchant is selling goods and/or services on an online platform or marketplace (‘Partner Merchant’);

2. Client Merchant has accepted the Client Merchants Agreement and Terms of Services of Rootline during the onboarding;

3. In the course of the performance of the Agreement personal data in the sense of the EU General Data Protection Regulation (EU) 2016/679 (GDPR) is being processed; 

4. With regard to the online payment processing, the payment management platform services and the collecting of payments for merchants from their customers, Rootline acts as a data processor;

5. With regard to the performance of its own independent (legal) obligations as a licensed financial institution (e.g. obligations arising from financial legislation, anti-money laundering legislation and anti-terrorism statutory frameworks) and when performing risk management, Rootline acts as a data controller;

6. Parties are therefore obliged to enter into a data processing addendum as stipulated in article 28 GDPR;

IT IS AGREED AS FOLLOWS:

1. Scope of this addendum

   1. This addendum applies exclusively to the processing of personal data in the scope of the Agreement between the Rootline and Client Merchant.

   2. Rootline will not be held responsible for the processing, transfer, or any other data actions performed by Partner Merchant in relation to the Agreement between Partner Merchant and Client Merchant directly.

   3. Client Merchant shall comply, at all times, with applicable privacy laws in relation to the processing of personal data in connection with the Agreement and the Services. Rootline shall comply with all mandatory requirements referred to in the GDPR applicable to Rootline.

2. Duration

   1. This data processing addendum is entered into for the duration of the Agreement unless otherwise agreed upon in writing.

3. Role of the Parties

   1. The Parties understand that for the provision of the Services by Rootline a distinction is made between two types of processing of personal data:  

      1. the provision of payment services (e.g. the online payment processing, and the collecting of payments from their customers) managed by Rootline on behalf of Client and provided via Partner Merchant, for which Rootline will act as a data processor and agrees to comply with the respective obligations applicable to Rootline as a data processor set out in articles 4 - 11, and 

      2. the performance by Rootline of its own independent (legal) obligations as a licensed financial institution (arising from financial legislation, e.g. anti-money laundering legislation and anti-terrorism statutory frameworks) and when performing risk management, for which Rootline will act as a data controller and agrees to comply with the respective obligations applicable to Rootline as a data controller set out in article 12.

4. Subject matter, nature and purpose of Rootline’s processing of personal data

   1. The subject matter, nature and purpose of the processing of personal data under this data processing addendum is Rootline’s performance of the Services pursuant to the Agreement, unless required to do so otherwise by applicable privacy laws (the GDPR). Rootline shall only collect or process personal data for the duration of the Agreement and after, to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the Agreement and privacy laws (the GDPR) applicable to Rootline in its role as data processor.

   2. Where the performance of the Services involves a transfer of personal data to a processing party outside the EEA (European Economic Area), additional requirements will be met in addition to ensure an adequate level of data protection.

5. Data Subjects

   1. Rootline lacks a direct relationship with the Data Subject and shall notify Data Subjects to reach out to the Client Merchant first for any requests or complaints regarding their personal data. The term "Data Subject" refers to any identifiable natural person whose Personal Data is processed by Rootline on behalf of the Client Merchant in accordance with the Merchant Agreement

6. Personal Data

   1. Client Merchant may submit personal data to Rootline, the extent of which is determined and controlled by Client Merchant in its sole discretion. Personal data means any information relating to a Data Subject (as defined under applicable privacy laws (GDPR)).

7. Technical and organizational measures

   1. Rootline has implemented and maintains appropriate technical and organizational measures in accordance with the GDPR. Such measures include but are not limited to physical and IT security measures, and organizational measures to protect personal data processed against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures provide a level of security that is appropriate to the risks of the processing having regard to:

1. the state of the art technology;

2. the costs of implementation;

3. the nature, scope, context and purposes of processing, including the type of personal data; and 

4. risk for the rights and freedoms of natural persons that personal data relate to.

2. The technical and organizational measures are subject to continuous technical progress and development”. In this respect Rootline may implement alternative adequate measures, however, the security level of the defined measures shall not be reduced. 

8. Sub-processors

   1. Client Merchant agrees and hereby grants its unconditional and irrevocable consent that Rootline may engage third parties to process personal data in order to assist Rootline to deliver the Services (“sub-processors”). Rootline has or will enter into a written agreement with each sub-processor containing data protection obligations not less protective than those in this data processing addendum to the extent applicable to the nature of the services provided by such sub-processor. 

   2. Rootline will provide you with a list of the current sub-processors for the Services on request. Client Merchant agrees and approves that Rootline has engaged such Sub-processors to process personal data as set out in the list.

   3. Client Merchant hereby grants its consent to Rootline to enter into any agreement or take any measures, including on behalf of Client Merchant, to establish and ensure an adequate level of data protection in the transfer of personal data to a sub-processing party outside the EEA, pursuant to European Commission approved standard contractual clauses for the transfer of personal data which the Client Merchant authorizes Rootline to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used.

9. Audits and inspections

   1. On an annual basis, Rootline is audited by an external party on the security that is in place for payment data (PCI_DSS).

   2. During the term of the Client Merchant Agreement, upon prior reasonable notice of a minimum of 30 days, Rootline will allow Client Merchant to verify compliance with the obligations under this data processing addendum.

   3. Such audit, under further conditions to be provided by Rootline, shall be with a maximum of once per year, without disruption of the business activities of Rootline, with the prior entering of Parties into a non-disclosure agreement, and such audit shall be carried out at the Client Merchants’ costs and expense.

10. Notification of a data breach

    1. Rootline shall notify Partner Merchant without unreasonable delay, and within 72 hours after becoming aware of a security breach of personal data. A notification shall be made only for actual breaches with severe impact. Further to the Agreement between Partner Merchant and Client Merchant, Partner Merchant, acting as first point of contact, will be responsible for the communication of such notice to Client Merchant.

    2. The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:

- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

- describe the likely consequences of the personal data breach;

- include the name and contact details of the Data Protection Officer (if appointed) or a contact person regarding privacy subjects;

- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

3. Rootline shall document all data breaches in accordance with Article 33(5) GDPR, including the facts relating to the personal data breaches, the consequences thereof and the measures taken to correct the respective breach. At Client Merchants’ request, Rootline shall provide access hereto.

11. Rights of inspection, correction, deletion, returnal and objection of data subjects 

    1. Rootline shall ensure that data subjects can exercise their rights under the regulations set out in article 1.2. 

    2. Request should be made via Partner Merchant and Rootline will, as soon as possible, but no later than within 30 working days after a request has been made, proceed to:

a. provide in writing all reasonably necessary information in order data subjects to exercise their rights under the regulations set out in article 1.2; 

b. correct, supplement, return or delete all relevant personal data as requested. 

12. Rootline’s obligations as data controller

    1. In situations where Rootline will act as a data controller, it undertakes to comply with its obligations under applicable privacy laws (the GDPR) in respect of any personal data processed under the Agreement. It shall process such personal data in connection with the Services and to fulfill its associated obligations under the Agreement or as may be required by law, court order or any government or regulatory authority and in accordance with its privacy policy which is available at www.Rootline.com.

13. Confidentiality 

    1. All personal data that Parties receive and/or collect within the context of the Agreement is subject to strict obligations of confidentiality towards third parties.

    2. The confidentiality obligation shall not apply if this processing addendum provides otherwise (as, for example, in the case of sub-processing), the provision to third parties is reasonably necessary considering the nature of the assignment or the provision is legally required.

14. Liability

    1. Rootline and Client Merchant explicitly agree that any liability arising in connection with personal data processing shall be as provided in Article 15 of the Terms of Service.

    2. Rootline shall indemnify and hold Client Merchant harmless from any claim brought against Client Merchant by a third party as a result of a breach by Rootline of its data protection commitments in this data processing addendum, provided that Client Merchant is not in breach of this addendum. The liability of Rootline under this indemnity provision shall be limited to a maximum amount of EUR 150,000.

15. Miscellaneous

    1. Rootline is entitled to amend this data processing addendum from time to time. Rootline shall post a notification of the amendments on its website, where reasonably possible, at least one month prior to their taking effect. 

    2. If at any time any provision of this addendum is or becomes illegal, invalid or unenforceable in any respect under the laws of any jurisdiction, this shall not affect or impair:

1. the legality, validity or enforceability in that jurisdiction of any other provision of this addendum; or

2. the legality, validity or enforceability under the law of any other jurisdiction of that or any other provision of this addendum; and

any such illegal, invalid or unenforceable provision shall be replaced by a legal, valid and enforceable provision which, given the contents and purpose of this addendum is, to the greatest extent possible, similar to that of the original provision.

3. This addendum and any contractual or non-contractual obligations arising out of or in connection to it, is governed by Dutch law.

4. The competent court in Amsterdam, the Netherlands shall have exclusive jurisdiction to settle any dispute in connection with this addendum, or any agreements resulting therefrom, without prejudice to the right of appeal.