"Website" means the website https://platform.payzone.ie/ which is operated by Payzone Ltd., an Irish-run business.
Collection and Use of Information
At Payzone we take your privacy and your information security very seriously. Payzone will not sell or rent your personally identifiable information to anyone. As a member of an organisation your personal details will be made available to the organization (This excludes bank account/credit card information). Payzone declines all responsibility for the subsequent use of your personal information by the organisation. The personal data provided is stored on our secure computerised database to enable us to respond to your requests. We may communicate with you in the future by mail, email and telephone.
Personal information (such as name, address, telephone number, email address) is protected on a computerised system to ensure that loss, misuse, unauthorised access or disclosure, alteration or destruction of this information is not probable. Sensitive information (such as credit card number, account number) is protected by secure server software. This secure software encrypts financial information provided online through the use the Secure Sockets Layer (SSL) protocol. It prevents anyone else reading your personal and sensitive information while your fee is being processed online. It is your responsibility to keep your password secure at all times to avoid unauthorised use of your Payzone account. All access to the system is by password protected sign on. All passwords are encrypted using SHA1 Hash algorithm.
Removal or alteration of personal data
Payzone acts as the data processor in respect of all data held. Any request for the removal or alteration of personal data should be done through the registered organisation. Payzone shall provide the facility for the organisation to remove or alter data as requested.
This policy is subject to change and any such changes to our privacy and security policy will be posted on this page without prior notification. This legal notice and all issues regarding this website are governed exclusively by Irish law and are subject to the exclusive jurisdiction of the Irish courts. If you have any questions about our privacy and security policy, please contact Payzone, Payzone House, Heather Road, Sandyford, Co. Dublin or email@example.com
Data Protection Schedule
1.1 In this Data Protection Schedule the following words shall have the meanings given:
(a) controller, process, and processor have the meanings given to them in DP Law.
(b) data subject means an individual who is the subject of personal data.
(c) DP Law means: (i) the General Data Protection Regulation ((EU) 2016/679) (GDPR); and (ii) any other laws, regulations and secondary legislation enacted from time to time in the Republic of Ireland relating to data protection, the use of information relating to individuals, the information rights of individuals and/or the processing of personal data, including without limitation any legislation giving effect to GDPR or otherwise replacing current data protection legislation; and
(d) personal data has the meaning given to it in the DP Law, so far as it relates to the personal data, or any part of such personal data, of which Payzone Ltd is the processor acting on the Client Organisation's behalf and in relation to which the Client Organisation is the controller.
Compliance with data protection law
1.2 Each party shall comply with the DP Law as it applies to personal data processed under this DPA. This clause is in addition to, and does not relieve, remove, or replace, a party's obligations under the DP Law.
1.3 The Client Organisation is solely and wholly responsible for establishing and maintaining the lawful basis for the processing of personal data by Payzone Ltd under this DPA, including where applicable the obtaining of all necessary consents from data subjects, and the Client Organisation shall notify Payzone Ltd in writing on request of the applicable lawful basis for any processing Payzone Ltd is required to perform under this DPA.
Where a client organisation recruits other individuals or organisations to fundraise on their behalf the client organisation continues to be the data controller and each individual fundraiser or fundraising organisation acts as a data processor in this instance.
1.4 A description of the data processing carried out by Payzone Ltd under this DPA is set out in Part 1 of the Appendix to this Data Protection Schedule.
1.5 In respect of the personal data processed by Payzone Ltd as a data processor acting on behalf of the Client Organisation under this DPA, Payzone Ltd shall:
(a) process the personal data only on the Client Organisation's written instructions, unless required by law to process it differently (in which case it shall, if permitted by such law, promptly notify the Client Organisation of that requirement before processing).
(b) process the personal data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under this DPA.
(c) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, including all measures required to ensure security of processing as prescribed by Article 32 of the GDPR, such measures in each case to be appropriate to the likelihood and severity of harm to data subjects that might result from the unauthorised, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures. Without limitation, Payzone Ltd shall implement any and all specific technical and organisational measures required by the Client Organisation as may be set out in this DPA.
(d) ensure that persons engaged in the processing of personal data are bound by appropriate confidentiality obligations, including after the end of their employment contract or at the end of their assignment or engagement.
(e) keep a record of the processing it carries out and ensure the same is accurate.
(f) comply promptly with any lawful request from the Client Organisation requesting access to, copies of, or the amendment, transfer, or deletion of the Personal Data to the extent the same is necessary to allow the Client Organisation to fulfil its own obligations under the DP Law, including the Client Organisation's obligations arising in respect of a request from a data subject.
(g) notify the Client Organisation promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the personal data or to either party's compliance with the DP Law as it relates to this DPA, and provide the Client Organisation with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication.
(h) notify the Client Organisation promptly if, in its opinion, an instruction from the Client Organisation infringes any DP Law (provided always that the Client Organisation acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or Payzone Ltd is subject to legal requirements that would make it unlawful or otherwise impossible for Payzone Ltd to act according to the Client Organisation's instructions or to comply with DP Law;
(i) notify the Client Organisation without undue delay after becoming aware of an actual or suspected personal data breach arising in respect of personal data provided or made available by the Client Organisation. Payzone shall assist the Client Organisation in fulfilling their respective obligations under Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR.
(j) not permit any processing of the personal data processed by Payzone Ltd under this DPA by any agent, sub-contractor, supplier, processor or other third party (sub-processor) without the prior written authorisation of the Client Organisation
(k) ensure in each case that prior to the processing of any personal data by any sub-processor, terms equivalent to the terms set out in this Data Protection Schedule are included in a written contract between Payzone Ltd and any sub-processor engaged in the processing of the personal data.
(l) The Client Organisation hereby gives its prior written authorisation to the appointment by Payzone of each of the sub-processors or categories of sub-processors (as the case may be) who will process personal data listed in Part 2 of the Appendix to this Data Protection Schedule, and to the extent this authorisation is in respect of a category of sub-processors, Payzone shall inform the Client Organisation of any intended changes concerning the addition or replacement of other sub-processors; 
(m) only transfer the personal data outside of the European Economic Area (including outside of the UK if it ceases to be a member of the European Economic Area) if it has fulfilled each of the following conditions:
(i) it has provided appropriate safeguards in relation to the transfer;
(ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer;
(iii) it provides an adequate level of protection to any personal data that is transferred; and
(iv) it complies with reasonable instructions notified to it in advance by the Client Organisation with respect to the transfer;
(n) inform the Client Organisation promptly (and in any event within five (5) business days) if it receives a request from a data subject for access to that person's personal data and shall:
(i) promptly provide the Client Organisation with reasonable co-operation and assistance in relation to such request; and
(ii) not disclose the personal data to any data subject (or to any third party) other than at the request of the Client Organisation or as otherwise required under this DPA.
(o) provide reasonable assistance to the Client Organisation in responding to requests from data subjects and in assisting the Client Organisation to comply with its obligations under DP Law with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators.
(p) delete or return that personal data to the Client Organisation at the end of the duration of the processing as referred to in the Appendix, and at that time delete or destroy existing copies subject to any obligations existing under the GDPR or Member State law.
(q) subject to the requirements of commercial and Client Organisation confidentiality, make available to the Client Organisation such information as is reasonably required to demonstrate compliance with this Data Protection Schedule and, subject to any other conditions set out in this DPA regarding audit, allow for and contribute to audits, including inspections, of compliance with this Data Protection Schedule conducted by the Client Organisation or a professional independent auditor engaged by the Client Organisation. The following requirements apply to any audit:
(i) the Client Organisation must give a minimum thirty (30) days' notice of its intention to audit (or such shorter period of notice as it receives itself where an audit is mandated by its regulator);
(ii) the Client Organisation may exercise the right to audit no more than once in any calendar year;
(iii) commencement of the audit shall be subject to agreement with Payzone Ltd of a scope of work for the audit at least ten (10) days in advance;
(iv) Payzone Ltd may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial and/or Client Organisation confidentiality;
(v) the audit shall not include penetration testing, vulnerability scanning, or other security tests;
(vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Client Organisation;
(vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Payzone Ltd prior to the audit; and
(viii) the Client Organisation shall compensate Payzone Ltd for its reasonable costs (including for the time of its personnel, other than the Client Organisation relationship manager) incurred in supporting any audit. Payzone may share your data with third parties through a merger or acquisition process. In such instance, the new owners may use your personal data in the same manner as outlined in this privacy notice.
1.6 Payzone will retain personal data in accordance with the instructions of the Client Organisation and in accordance with legal requirements for retention of data.
1.7 In the absence of such an instruction regarding data retention from the Client Organisation, Payzone will impose the following default data retention policy on this data:
(i) Customer Accounts will be retained for two years after the last transaction on the account
(ii) Transaction data for Client Organisations (not including personal data) will be retained for 8 years.
(iii) Transaction data for all other organisations (not including personal data) will be retained for 6 years.
Appendix to the Data Protection Schedule Part 1 - Description of the processing
Subject matter of the processing
The processing of personal data to the extent necessary for the provision of services set out in this DPA by Payzone Ltd to the Client Organisation.
Duration of the processing
The duration of the processing of personal data by Payzone Ltd under this DPA is the period of this DPA and the longer of such additional period as: (i) is specified in any provisions of this DPA regarding data retention; and (ii) is required for compliance with law.
Nature of the processing
Such processing as is necessary to enable Payzone Ltd to comply with its obligations and exercise its rights under this DPA, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Purpose of the processing
The performance of Payzone Ltd.’s obligations and exercise of its rights under this DPA, including the performance of functions required or requested by the Client Organisation for the Client Organisation's compliance with it statutory and/or contractual obligations.
Personal data types
Personal data provided to Payzone Ltd by or on behalf of the Client Organisation, including personal data provided directly to Payzone Ltd by a data subject or third party: (i) on the instruction or request of the Client Organisation; or (ii) on the request of Payzone Ltd where Payzone Ltd has been authorised to make such request by the Client Organisation or is legally required to make such request. The personal data processed under this DPA will include.
Please see table below
Categories of data subjects
Personal data related to individuals associated with the Client Organisation (including its past and current pupils and parents / guardians. 
Obligations and rights of the controller
As set out in the DPA.
Email address to contact Org and Admin login identifier.
Used for account management
Used with consent to contact account admin.
DBA Contact Name
|Used as a link between Payment Platform and Payzone|
|Used as a link between Payment Platform and Payzone|
|Used for account management|
Used for account management
|Used for account management|
|Legal billing person on family account|
|Specific to the Organisation. May include any of Health, Age, Gender, Membership Details. Used operationally by customer organisations.|
Org uses client phone number for contact.
|Org uses client phone number for contact.|
Principal Contact No.
|Contact number for main account holder|
|Name of main account holder|
Web Admin Email
|Used for deployment of EPP link with Org (Buttons)|
Web Admin Name
|Used for deployment of EPP link with Org (Buttons)|
Special Categories of Data
Under GDPR, the following type of data is deemed to be a special category of data:
- Personal data revealing racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
- Data concerning health.
- Data concerning a natural person's sex life or sexual orientation.
And as such required explicit consent before processing.
On this platform, donations to organisations such as religious institutions or political groups falls under the exception in Article 9(d) of GDPR which states that:
“processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;"
Part 2 – Authorised sub-processors and categories of sub-processors
Authorised sub-processor / category of sub-processor
Description of the processing carried out by the sub-processor / category of sub-processor
Sending emails on behalf of Payzone and Payzone Client Organisations.
Sending SMS messages on behalf of Payzone and Payzone Client Organisations
Amazon Web Services
Securely storing data.