Data Processing Agreement



Effective from:

Nov 1, 2023

This Data processing Agreement (“DPA”) is subject to and forms part of the Merchant Services Agreement (“MSA”) and governs Fung’s processing of Personal Data and is entered into between Merchant and Fung, together referred as the “Parties”.


1. Definitions and Interpretation

Capitalised terms not defined in this DPA have the meaning given to them in the MSA. Unless otherwise defined herein, capitalised terms and expressions used in this DPA shall have the following meaning:

1.1 Personal Data:
means any information relating to (i) an identified or identifiable natural person and/or, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws);

1.2 Contracted Processor:
means a Subprocessor;

1.3 Customer:
the Merchant’s Customers who wish to pay for products and/or services provided by the Merchant.

1.4 Personal Data Breach:
as defined in Clause 7 hereof .

1.5 Data Protection Laws:
means all laws and regulations including but not limited to the GDPR as well as other laws and regulations of the EU/EEA, UK and/or Switzerland, applicable to the Processing of Personal Data under this DPA.

1.6 DPA:
means this Data processing Agreement and all Schedules;

1.7 GDPR:
means EU General Data Protection Regulation 2016/679;

1.8 Services:
means the services Fung provides as part of the MSA;

1.9 Subprocessor:
means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the DPA;

1.10 Technical and Organisational Measures:
means measures aimed at protecting Personal Data against accidental, unlawful or unauthorised processing including destruction, loss, alteration, disclosure, transmission or access, as set out in Appendix III hereto. 

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, “processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Fung as Processor

2.1 Legal Basis
In the event Fung processes data within the meaning of this DPA, Parties acknowledge that Fung is acting as a processor on behalf of Merchant, the data controller. The processing is necessary for the performance of the MSA between Parties, specifically for the provision of payment processing services and related services as further outlined in the MSA. Please refer to Appendix I for a detailed description of Fung’s processing of Personal Data.

3. Fung's Obligations

3.1 Obligations
To the extent that Fung is acting as a processor for Merchant, Fung will:

comply with all applicable Data Protection Laws in the processing of Personal Data;

process Personal Data on behalf of and according to Merchant’s instructions. Fung will not sell, retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and to comply with Law, unless otherwise permitted by the MSA (including this DPA) or applicable Data Protection Laws. Fung will inform Merchant if, in its opinion, Merchant’s instructions violate or infringe applicable Data Protection Laws; 

take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Services, and to comply with applicable Data Protection Laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;

at the Merchant’s choice, and subject to Fung’s rights and obligations under the MSA (including this DPA), delete or return all Personal Data to Merchant after termination of the MSA, and delete existing copies held by Fung, unless we are required or authorised by applicable Data Protection Laws to store Personal Data for a longer period.

At the Merchant's request, when acting as the data controller, Fung will provide the necessary cooperation and assistance to help the Merchant meet Fung’s responsibilities as the data processor, in accordance with applicable laws. Such assistance, borne at the Merchant's expense, may encompass conducting Data Protection Impact Assessments relating to the Merchant's use of the Services, provided that Merchant does not otherwise have access to the relevant information, and assuming such data is available to Fung. Fung shall provide reasonable assistance to Merchant in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks, to the extent required under applicable Data Protection Laws.

Upon Merchant’s reasonable and prior written request, and no more than once every twelve (12) months, and subject to the confidentiality obligations set forth in this Agreement, Fung shall make available to Merchant the most recent third-party audit or certifications setting out Fung’s conformity in relation to Personal Data Processing activities pursuant to this DPA. Fung shall make available additional information regarding its Processing activities covered by this DPA if Merchant can reasonably demonstrate that the information provided is not sufficient to demonstrate compliance with the obligations set out in this DPA, including its Appendixes.

3.2 Subprocessors
Merchant specifically authorises Fung to engage its Subprocessors from the agreed lists of Subprocessors as attached hereto as Appendix II (“Fung Subprocessors List”). By way of this DPA, the Merchant provides general written authorization to Fung as Data Processor to engage Subprocessors as necessary to perform the Services. Fung reserves the right to change Subprocessor as listed in the Subprocessor List in Appendix II. However, when such changes occur, Fung will endeavour to provide reasonable notice to Merchant before engaging a new Subprocessor, including the date on which the new Subprocessor will begin processing Personal Data described in the Appendix I (the “Subprocessor Effective Date”). Merchant will have the right to object to the change(s) within 30 days, following the date such notice was sent or otherwise provided to Merchant, by submitting the objection in accordance with section 10.2. Merchant acknowledges that Fung's Subprocessors are essential to provide the Services and that if Merchant objects to Fung’s use of a Subprocessor, then notwithstanding anything to the contrary in your Merchant Services Agreement (including this DPA), Fung may not be able to provide the Services for which Fung uses that Subprocessor. Your continued use of the Services on or after the Subprocessor Effective Date constitutes Your acceptance of the new Ssubprocessor. You acknowledge that Fung may be restricted from disclosing Ssubprocessor agreements due to confidentiality obligations but where Fung cannot disclose a subprocessor agreement, Fung shall provide all information (on a confidential basis) to You that Fung reasonably can in connection with such agreement.

Fung will enter into a written agreement with each Subprocessor that imposes on that Subprocessor obligations comparable to those imposed on Fung under this DPA, including implementing appropriate data security measures. If a Subprocessor fails to fulfil its data protection obligations under that agreement, Fung will remain liable to Merchant for the acts and omissions of its Subprocessor to the same extent Fung would be liable if performing the relevant Services directly under this DPA

4. Merchant's Obligations

Merchant must:
only provide instructions to Fung that are compliant with applicable Data Protection Laws;

comply with and perform its obligations under applicable Data Protection Laws, including, but not limited to, with regard to Data Subject rights, data security and confidentiality, and ensure Merchant has an appropriate legal basis for the Processing of Personal Data as described in the MSA, including this DPA; and

provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) regarding, respectively, Fung’s and Merchant’s processing of Personal Data for the purposes described in the MSA, including this DPA.

5. Security

Fung shall in relation to the Personal Data implement appropriate technical and organisational measures, as set out in Appendix III, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Fung shall maintain and enforce a security program that addresses how Fung manages security, including the security controls Fung employs.

When assessing the appropriate level of security, Fung shall take into account the risks that are presented by processing related to the Services it performs to the Merchant. Fung performs risk assessments, and implements and maintains controls for risk identification, analysis, monitoring, reporting and corrective action to ensure the risks related to the Services are properly monitored and mitigated.

6. Data Subject Rights

Processor promptly notify Merchant if it receives a request from a Data Subject under applicable Data Protection Laws in respect of Personal Data.

Processor shall ensure that it does not respond to the above request except on the documented instructions of Merchant or as required by applicable Data Protection Laws, in which case Fung shall to the extent permitted by such laws inform Merchant of that legal requirement before it responds to the request.

7. Personal Data Breach

If required by the applicable Data Protection Laws, Fung shall notify Merchant without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, including Personal Data transmitted, stored, or otherwise Processed by Fung in relation to the Services (a “Personal Data Breach”). Fung shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Fung deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within Fung’s reasonable control. The obligations herein shall not apply to Personal Data Breaches that are caused by Merchant or Merchant’s users of the Services.

8. Data Transfer

The parties agree that Fung may transfer Personal Data processed under this DPA outside the European Economic Area (“EEA”), the UK or Switzerland as necessary to provide the Services. If Fung transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission or the UK (as applicable) has not issued an adequacy decision, Fung will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

9. Liability

Notwithstanding anything to the contrary in the MSA or this DPA, Merchant agrees and acknowledges that Fung will not be liable for any claim made by a Data Subject arising from or related to Fung’s acts or omissions, provided Fung was acting in accordance with Merchant’s instructions.

Notwithstanding anything to the contrary in the MSA or this DPA, Merchant agrees to indemnify, defend and hold harmless Fung and each of their respective officers, shareholders, directors and employees, from and against any claims, losses, liabilities, penalties, fines, costs or expenses (including reasonable attorney fees) arising out of or in relation to (i) a Personal Data Breach that is caused by Merchant or Merchant’s users of the Services or (ii) Merchant's obligations pursuant to this MSA.

10. General Terms

10.1 Confidentiality
Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA and the MSA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  1. disclosure is required by law;

  2. the relevant information is already in the public domain.

10.2 Notices
All notices and communications given under this DPA will be conducted via email and can be addressed to our Data Protection team at

11. Governing Law and Jurisdiction

This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Netherlands. 

Parties undertake to take all steps to reach an amicable agreement to any dispute arising in relation to the validity, interpretation or fulfilment of the DPA. This clause is without prejudice to a party's right to seek interim relief against any other party (such as an injunction) through the competent courts to protect its rights and interests, or to enforce the obligations of any of the other parties. 

In the absence of an amicable agreement, any dispute relating to this DPA shall be submitted to the exclusive jurisdiction of the competent courts of Amsterdam, the Netherlands.