Certain words and phrases in this DPA have specific definitions when they start with capital letters. Where a defined term is used, it either has the meaning set out in annex 1 below (Definitions) or the meaning given to it in the relevant clause of this DPA. ”Data controller”, “data subject”, “personal data”, “process”, “processing”, “data processor” “data subject request”, “personal data breach”, “subprocessors” and “supervisory authority” shall have the meaning given to it in the Data Protection Legislation.

2.5 Anonymisation and Derived Data. Pursuant to the licence granted by the Merchant under Section 12.3(a) of the Agreement, Sunday shall anonymise and aggregate personal data contained in Merchant Data (including, where applicable, data relating to the Merchant's personnel) for the purpose of creating Derived Data. For the purposes of clause 3.2 of this DPA, this constitutes a documented instruction from the Merchant, the execution of which results in the creation of data that no longer constitutes personal data within the meaning of the Data Protection Legislation. Once Derived Data has been created, it is no longer subject to the obligations of this DPA relating to the processing of personal data. The conditions of use and exploitation of Derived Data are governed exclusively by Section 12.3 of the Agreement.

2.6 Anonymisation of Merchant Data for Derived Data. Pursuant to the licence granted by the Merchant under Section 12.3(a) of the Agreement, Sunday shall anonymise and aggregate personal data contained in Merchant Data (including, where applicable, data relating to the Merchant's personnel) for the purpose of creating Derived Data. For the purposes of clause 3.2 of this DPA, this constitutes a documented instruction from the Merchant, the execution of which results in the creation of data that no longer constitutes personal data within the meaning of the Data Protection Legislation. Once Derived Data has been created, it is no longer subject to the obligations of this DPA relating to the processing of personal data. The conditions of use and exploitation of Derived Data are governed exclusively by Section 12.3 of the Agreement.

3.8 Sunday shall at the written direction of the Merchant, delete or return personal data and copies thereof to the Merchant on termination of this DPA unless required by Data Protection Laws or other applicable laws to store personal data.

3.9 Sunday shall implement, and at all times during this DPA maintain technical and organizational safeguards to protect personal data from unauthorized or unlawful processing or accidental loss or damage: (i) ensuring in each case a level of security appropriate to the risk; and (ii) maintaining PCI DSS level 1 service provider certification; and (iii) in addition maintaining controls in line with accepted industry practices including the International Organization for Standardization's standards: Requirements of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

3.10 At a minimum, Sunday’s safeguards for the protection of personal data shall include: (i) securing, cloud systems, backup systems, and computing equipment, including, but not limited to, all endpoint devices and other equipment with information storage capability; (ii) implementing network, application, database, and platform security; (iii) securing information transmission, storage, and disposal; (iv) implementing authentication and access controls within media, applications, operating systems, and equipment; (v) encrypting personal data at rest where possible; (vi) encrypting personal data transmitted over transit in network; (vii) strictly segregating Merchant data from information of Sunday or its other customers so that Merchant Data is not commingled with any other types of information; (viii) conducting risk assessments, and vulnerability scans and promptly implementing, at Sunday’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (ix) implementing appropriate personnel security and integrity procedures and practices; and (x) providing appropriate information security awareness training to Sunday employees.

3.11 Where Sunday collects end-customer personal data and marketing consent on behalf of the Merchant pursuant to the Guest Marketing Feature: (a) The Merchant is solely responsible for all marketing communications sent to end-customers using data collected via the Sunday Services, and shall ensure full compliance with all applicable data protection and electronic marketing laws, including without limitation UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR); (b) The Merchant shall include a clear, functional, and easily accessible unsubscribe mechanism in every marketing communication sent to end-customers whose data was collected via the Sunday Services; (c) The Merchant shall only use end-customer data for the purposes for which consent was collected at the point of payment, and shall not share, sell, or transfer such data to any third party without obtaining additional appropriate consent; (d) Sunday shall bear no liability whatsoever for the content, frequency, or lawfulness of marketing communications sent by the Merchant to end-customers, provided Sunday has collected and transferred the data in accordance with this DPA; (e) The Merchant shall indemnify Sunday against any claims, penalties, or regulatory actions arising from the Merchant's non-compliance with its obligations under this clause 3.11.

3.12 Where Sunday displays a marketing consent checkbox to end-customers at the point of payment on behalf of the Merchant: (a) The consent checkbox shall clearly identify the Merchant by name as the entity that will send marketing communications, so that end-customers are fully informed of who will contact them; (b) The Merchant acknowledges that Sunday's use of a pre-checked opt-out mechanism in this context relies on the Soft Opt-in exception under PECR Regulation 22(3), and that this mechanism is only lawful where: (i) the end-customer's contact details are collected in the course of a sale; (ii) the marketing relates to the Merchant's own similar products or services; and (iii) the end-customer is given a simple and visible opportunity to refuse at the point of collection; (c) The Merchant shall not instruct Sunday to use a consent mechanism that does not meet the requirements of applicable law, and Sunday reserves the right to modify or disable the consent collection mechanism if required to comply with applicable Data Protection Laws or regulatory guidance.

the optional functionality within the Sunday Services that enables the Merchant to collect end-customer email addresses and associated marketing consent preferences at the point of payment, for the purpose of the Merchant sending marketing communications directly to its end-customers.

a data transfer mechanism permitted by the Data Protection Laws as a lawful basis for transferring personal data to a recipient located in a third country in the meaning of GDPR and the Data Protection Act 2018.

Merchant Data which may include personal data (in particular data relating to the Merchant's personnel such as first name, surname, contact details, role); transactional data relating to the Merchant's Establishment(s); User personal data to the extent processed on the Merchant's documented instructions.

Merchant's personnel (including servers); Users (to the extent their data is processed on behalf of the Merchant in accordance with its documented instructions).

The term of the Agreement, plus the period necessary for the deletion or return of all personal data by Sunday in accordance with clause 3.8 of this DPA.