Privacy Policy
"Website" means the website www.easypaymentsplus.com or www.easypaymentsplus.ie or www.easypaymentsplus.co.uk which are operated by Payzone Ltd., an Irish run business. Further information is available on the About Us page.
Collection and Use of Information
At Easy Payments Plus we take your privacy and your information security very seriously. Easy Payments Plus will not sell or rent your personally identifiable information to anyone. As a member of an organisation your personal details will be made available to the organization (This excludes bank account/credit card information). Easy Payments Plus declines all responsibility for the subsequent use of your personal information by the organisation. The personal data provided is stored on our secure computerised database to enable us to respond to your requests. We may communicate with you in the future by mail, email and telephone.
Security
Personal information (such as name, address, telephone number, email address) is protected on a computerised system to ensure that loss,
misuse, unauthorised access or disclosure, alteration or destruction of this information is not probable. Sensitive information
(such as credit card number, account number) is protected by secure server software. This secure software encrypts financial
information provided online through the use the Secure Sockets Layer (SSL) protocol. It prevents anyone else reading your
personal and sensitive information while your fee is being processed online. It is your responsibility to keep your password
secure at all times to avoid unauthorised use of your Easy Payments Plus account.
All access to the system is by password protected sign on. All passwords are encrypted using SHA1 Hash algorithm.
Removal or alteration of personal data
Easy Payments Plus acts as the data processor in respect of all data held. Any request for the removal or alteration of personal data should be done through the registered organisation. Easy Payments Plus shall provide the facility for the organisation to remove or alter data as requested.
General
Cookie Policy
What Are Cookies
As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer. This page describes what information they gather, how we use it and why we sometimes need to store these cookies.How We Use Cookies
This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content. For more information on Google Analytics cookies, see the official Google Analytics page.Data Protection Schedule
Definitions
1.1 In this Data Protection Schedule the following words shall have the meanings given:
(a) controller, process, and processor have the meanings given to them in DP Law;
(b) data subject means an individual who is the subject of personal data;
(c) DP Law means: (i) the General Data Protection Regulation ((EU) 2016/679) (GDPR); and (ii) any other laws, regulations and secondary legislation enacted from time to time in the Republic of Ireland relating to data protection, the use of information relating to individuals, the information rights of individuals and/or the processing of personal data, including without limitation any legislation giving effect to GDPR or otherwise replacing current data protection legislation; and
(d) personal data has the meaning given to it in the
DP Law, so far as it relates to the personal data, or any part of such
personal data, of which Payzone Ltd is the processor acting on the
Client Organisation's behalf and in relation to which the Client
Organisation is the controller.
Compliance with data protection law
1.2 Each party shall comply with the DP Law as it applies to personal
data processed under this DPA. This clause is in addition to, and does
not relieve, remove, or replace, a party's obligations under the DP
Law.
Data processing
1.3 The Client Organisation is solely and wholly responsible for establishing and maintaining the lawful basis for the processing of personal data by Payzone Ltd under this DPA, including where applicable the obtaining of all necessary consents from data subjects, and the Client Organisation shall notify Payzone Ltd in writing on request of the applicable lawful basis for any processing Payzone Ltd is required to perform under this DPA.
1.4 A description of the data processing carried out by Payzone Ltd under this DPA is set out in Part 1 of the Appendix to this Data Protection Schedule.
1.5 In respect of the personal data processed by Payzone Ltd as a data processor acting on behalf of the Client Organisation under this DPA, Payzone Ltd shall:
(a) process the personal data only on the Client Organisation's written instructions, unless required by law to process it differently (in which case it shall, if permitted by such law, promptly notify the Client Organisation of that requirement before processing);
(b) process the personal data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under this DPA;
(c) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, including all measures required to ensure security of processing as prescribed by Article 32 of the GDPR, such measures in each case to be appropriate to the likelihood and severity of harm to data subjects that might result from the unauthorised, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures. Without limitation, Payzone Ltd shall implement any and all specific technical and organisational measures required by the Client Organisation as may be set out in this DPA;
(d) ensure that persons engaged in the processing of personal data are bound by appropriate confidentiality obligations, including after the end of their employment contract or at the end of their assignment or engagement;
(e) keep a record of the processing it carries out, and ensure the same is accurate;
(f) comply promptly with any lawful request from the Client Organisation requesting access to, copies of, or the amendment, transfer or deletion of the Personal Data to the extent the same is necessary to allow the Client Organisation to fulfil its own obligations under the DP Law, including the Client Organisation's obligations arising in respect of a request from a data subject;
(g) notify the Client Organisation promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the personal data or to either party's compliance with the DP Law as it relates to this DPA, and provide the Client Organisation with reasonable cooperation, information and other assistance in relation to any such complaint, notice or communication;
(h) notify the Client Organisation promptly if, in its opinion, an instruction from the Client Organisation infringes any DP Law (provided always that the Client Organisation acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or Payzone Ltd is subject to legal requirements that would make it unlawful or otherwise impossible for Payzone Ltd to act according to the Client Organisation's instructions or to comply with DP Law;
(i) notify the Client Organisation without undue delay after becoming aware of an actual or suspected personal data breach arising in respect of personal data provided or made available by the Client Organisation. Payzone shall assist the Client Organisation in fulfilling their respective obligations under Article 33 (Notification of a personal data breach to the supervisory authority) and Article 34 (Communication of a personal data breach to the data subject) of the GDPR.
(j) not permit any processing of the personal data processed by Payzone Ltd under this DPA by any agent, sub-contractor, supplier, processor or other third party (sub-processor) without the prior written authorisation of the Client Organisation
(k) ensure in each case that prior to the processing of any personal data by any subprocessor, terms equivalent to the terms set out in this Data Protection Schedule are included in a written contract between Payzone Ltd and any sub-processor engaged in the processing of the personal data;
(l) The Client Organisation hereby gives its prior written authorisation to the appointment by Payzone of each of the sub processors or categories of sub-processors (as the case may be) who will process personal data listed in Part 2 of the Appendix to this Data Protection Schedule, and to the extent this authorisation is in respect of a category of sub-processors, Payzone shall inform the Client Organisation of any intended changes concerning the addition or replacement of other sub-processors; [1]
(m) only transfer the personal data outside of the European Economic Area (including outside of the UK if it ceases to be a member of the European Economic Area) if it has fulfilled each of the following conditions: (i) it has provided appropriate safeguards in relation to the transfer; (ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer; (iii) it provides an adequate level of protection to any personal data that is transferred; and (iv) it complies with reasonable instructions notified to it in advance by the Client Organisation with respect to the transfer;[2]
(n) inform the Client Organisation promptly (and in any event within five (5) business days) if it receives a request from a data subject for access to that person's personal data and shall:
(i) promptly provide the Client Organisation with reasonable co-operation and assistance in relation to such request; and
(ii) not disclose the personal data to any data subject (or to any third party) other than at the request of the Client Organisation or as otherwise required under this DPA;
(o) provide reasonable assistance to the Client Organisation in responding to requests from data subjects and in assisting the Client Organisation to comply with its obligations under DP Law with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
(p) delete or return that personal data to the Client Organisation at the end of the duration of the processing as referred to in the Appendix, and at that time delete or destroy existing copies subject to any obligations existing under the GDPR or Member State law;
(q) subject to the requirements of commercial and Client Organisation
confidentiality, make available to the Client Organisation such
information as is reasonably required to demonstrate compliance with
this Data Protection Schedule and, subject to any other conditions set
out in this DPA regarding audit, allow for and contribute to audits,
including inspections, of compliance with this Data Protection Schedule
conducted by the Client Organisation or a professional independent
auditor engaged by the Client Organisation. The following requirements
apply to any audit: (i) the Client Organisation must give a minimum
thirty (30) days' notice of its intention to audit (or such shorter
period of notice as it receives itself where an audit is mandated by
its regulator); (ii) the Client Organisation may exercise the right to
audit no more than once in any calendar year; (iii) commencement of the
audit shall be subject to agreement with Payzone Ltd of a scope of work
for the audit at least ten (10) days in advance; (iv) Payzone Ltd may
restrict access to certain parts of its facilities and certain records
where such restriction is necessary for commercial and/or Client
Organisation confidentiality; (v) the audit shall not include
penetration testing, vulnerability scanning, or other security tests;
(vi) the right to audit includes the right to inspect but not copy or
otherwise remove any records, other than those that relate specifically
and exclusively to the Client Organisation; (vii) any independent
auditor will be required to sign such non-disclosure agreement as is
reasonably required by Payzone Ltd prior to the audit; and (viii) the
Client Organisation shall compensate Payzone Ltd for its reasonable
costs (including for the time of its personnel, other than the Client
Organisation relationship manager) incurred in supporting any audit.
Payzone may share your data with third parties through a merger or acquisition process. In such instance, the new owners may use your personal data in the same manner as outlined in this privacy notice.
Data Retention
1.6 Payzone will retain personal data in accordance with the instructions of the Client Organisation and in accordance with legal requirements for retention of data.
1.7 In the absence of such an instruction regarding data retention from the Client Organisation, Payzone will impose the following default data retention policy on this data:
(i) Customer Accounts will be retained for two years after the last transaction on the account
(ii) Transaction data for Client Organisations (not including personal data) will be retained for 8 years.
(iii) Transaction data for all other organisations (not including
personal data) will be retained for 6 years.
Appendix to the Data Protection Schedule Part 1 - Description of the processing
Subject matter of the processing |
The processing of personal data to the extent necessary for the provision of services set out in this DPA by Payzone Ltd to the Client Organisation. |
Duration of the processing |
The duration of the processing of personal data by Payzone Ltd under this DPA is the period of this DPA and the longer of such additional period as: (i) is specified in any provisions of this DPA regarding data retention; and (ii) is required for compliance with law. |
Nature of the processing |
Such processing as is necessary to enable Payzone Ltd to comply with its obligations and exercise its rights under this DPA, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
Purpose of the processing |
The performance of Payzone Ltd's obligations and exercise of its rights under this DPA, including the performance of functions required or requested by the Client Organisation for the Client Organisation's compliance with it statutory and/or contractual obligations. |
Personal data types |
Personal data provided to Payzone Ltd by or on behalf of the Client Organisation, including personal data provided directly to Payzone Ltd by a data subject or third party: (i) on the instruction or request of the Client Organisation; or (ii) on the request of Payzone Ltd where Payzone Ltd has been authorised to make such request by the Client Organisation or is legally required to make such request. The personal data processed under this DPA will include; Please see table below |
Categories of data subjects |
Personal data related to individuals associated with the Client Organisation (including its past and current pupils and parents / guardians. [3] |
Obligations and rights of the controller |
As set out in the DPA. |
Personal Data |
Purpose |
Contact Email |
Email address to contact Org and Admin login identifier. |
Contact Name |
Used for account management |
Contact Phone |
Used with consent to contact account admin. |
DBA Contact Name |
Used as a link between Payment Platform and EPP |
DBA Phone |
Used as a link between Payment Platform and EPP |
Org Address |
Used for account management |
Org Email |
Used for account management |
Org Name |
Used for account management |
Parent Name |
Legal billing person on family account |
PERSONAL INFORMATION |
Specific to the Organisation. May include any of Health, Age, Gender, Membership Details. Used operationally by customer organisations. |
Phone (Landline) |
Org uses client phone number for contact. |
Phone (Mobile) |
Org uses client phone number for contact. |
Principal Contact No. |
Contact number for school principal |
Principal Name |
Name of school principal |
Student ID |
Unique student identifier for school |
Student Name |
Name of student within a school\club family account |
Web Admin Email |
Used for deployment of EPP link with Org (Buttons) |
Web Admin Name |
Used for deployment of EPP link with Org (Buttons) |
Part 2 – Authorised sub-processors and categories of sub-processors 4
Authorised sub-processor / category of sub-processor |
Description of the processing carried out by the sub-processor / category of sub-processor |
MailChimp |
Sending emails on behalf of Payzone and Payzone Client Organisations |
Clickatell |
Sending SMS messages on behalf of Payzone and Payzone Client Organisations |
Amazon Web Services |
Securely storing data. |