This Data Processing Agreement (“DPA” / “Agreement”) is subject to and forms part of your PawaPay Merchant Services Agreement (the “Master Agreement”), where applicable, and governs PawaPay’s (herein defined as the “Processor”) and its Affiliates’ Processing of Personal Data.
AGREED TERMS
1. Definitions and Interpretation
1.1 Definitions:
Authorised Persons: the persons or categories of persons that the Merchant authorises to give the Processor written personal data processing instructions and from whom the Processor agrees solely to accept such instructions.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
Data Processing Purposes: are as stated in clause 2.2.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the Processor or Merchant’s jurisdictions including without limitation the Ethiopian Data Protection Proclamation No. 1321/2024 (and guidelines made thereunder), and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications and the National Bank of Ethiopia directives).
Records: has the meaning given to it in Clause 12.
Standard Contractual Clauses (SCCs): the contractual clauses approved by the Regulatory Authority for the transfer of Personal Data to processors established in third countries, or such alternative clauses as may be approved under Ethiopian Law from time to time.
Regulatory Authority: means the applicable data privacy regulator in the Processor and Merchant’s jurisdictions, specifically the Ethiopian Communications Authority (or any successor body designated under Proclamation 1321/2024).
Term: this Agreement's term as defined in Clause 10.
1.2 This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.
1.3 A reference to writing or written includes faxes and email.
1.4 In the case of conflict or ambiguity between:
(a) any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail; and
(b) any of the provisions of this Agreement and any executed SCC, the provisions of the executed SCC will prevail.
2. Personal Data Types and Processing Purposes
2.1 The Merchant and the Processor agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Merchant is the Controller, and PawaPay is the Processor.
(b) the Merchant retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required explicit consent (as required by the Proclamation) from its End Users, and for the written processing instructions it gives to the Processor.
2.2 Data Processing Purposes: The purpose of PawaPay processing the Personal Data is to:
(a) service the PawaPay platform; and
(b) provide and provide access to the Services.
2.3 Data Subject: PawaPay may process the Personal Data of End Users, Merchant representatives and anyone who accesses or uses the PawaPay platform.
2.4 Duration of Processing: for the Term and any period required to perform a party’s post-termination obligations under Ethiopian Law.
3. Processor's Obligations
3.1 The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Data Processing Purposes in accordance with the Merchant's written instructions from Authorised Persons. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Processor must promptly notify the Merchant if, in its opinion, the Merchant's instructions do not comply with the Data Protection Legislation.
3.2 The Processor must comply with any Merchant written instructions requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Merchant or this Agreement specifically authorises the disclosure, or as required by Ethiopian law, court or the Regulatory Authority. If an Ethiopian law, court or the Regulatory Authority requires the Processor to process or disclose the Personal Data to a third-party, the Processor must first inform the Merchant of such legal or regulatory requirement, unless the law prohibits the giving of such notice.
3.4 The Processor will reasonably assist the Merchant with meeting the Merchant's compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Regulatory Authority.
3.5 The Processor must notify the Merchant promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Processor's performance of the Master Agreement or this Agreement.
4. Processor's Employees
The Processor will ensure that all of its employees:
(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; and
(b) are aware both of the Processor's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
5. Security
5.1 The Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data, as required by Proclamation No. 1321/2024.
5.2 The Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
6. Personal Data Breach
6.1 The Processor will without undue delay notify the Merchant in writing if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Processor will restore such Personal Data at its own expense as soon as possible.
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.
6.2 Where the Processor becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Merchant with the following written information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. Further, the Processor will reasonably cooperate with the Merchant at no additional cost to the Merchant.
6.4 The Processor will not inform any third-party of any accidental, unauthorised or unlawful processing and/or a Personal Data Breach without first obtaining the Merchant's written consent, except when required to do so by Ethiopian law.
6.5 The Processor agrees that the Merchant has the sole right to determine breach notification and remedies.
6.6 The Processor will cover all reasonable expenses associated with the performance of these obligations unless the matter arose from the Merchant's instructions or negligence.
6.7 The Processor will also reimburse the Merchant for actual reasonable expenses incurred when responding to an incident caused by the Processor.
7. Cross-Border Transfers of Personal Data
7.1 The Processor may transfer Personal Data outside Ethiopia as necessary to provide the Services, provided such transfer complies with Proclamation No. 1321/2024. Personal Data may be transferred to Affiliates, subprocessors and MNOs in other jurisdictions.
7.2 The Controller authorises such transfers provided adequate protection is ensured.
7.3 Other transfers require Merchant consent.
7.4 Transfers are permitted only where adequacy, safeguards, or lawful transfer grounds exist.
8. Subprocessors
8.1 PawaPay engages subprocessors to provide the Services.
8.2 Additional subprocessors require Merchant consent and equivalent contractual protections.
8.3 Approved subprocessors are deemed authorised at commencement.
8.4 The Processor remains fully liable.
9. Complaints, Data Subject Requests and Third-Party Rights
The Processor must assist with Data Subject rights, notify complaints promptly, and cooperate fully.
10. Term and termination
This Agreement remains effective while the Master Agreement is active, data is retained, or until terminated with notice.
11. Data storage, data return and destruction
Personal Data shall be retained in accordance with Ethiopian law and securely deleted or returned following expiry or termination.
12. Records
The Processor will maintain adequate processing records and provide them upon request.
13. Audit
The Processor will permit audits and conduct internal security assessments.
14. Warranties
The Processor warrants compliance with Ethiopian Data Protection Legislation and appropriate safeguards.
15. Indemnification
The Processor indemnifies the Merchant against losses arising from non-compliance, subject to standard limitations.
