This GDPR Data Processing Addendum (“DPA”) forms part of an applicable service agreement, addenda, and Terms of Use available at or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”), entered into by and between partner, merchant, or client (“the Client”) and Bluefin Payment Systems LLC (“Bluefin”), pursuant to which Client has accessed or utilized Bluefin’s Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.

If you are a Client entity and have executed an order form or statement of work with Bluefin pursuant to the Agreement (an “Ordering Document”), but are not a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If you are a Client entity entering into this DPA, are neither a party to an Ordering Document nor the Agreement, this DPA is not applicable, valid, or legally binding. You should request that the Client entity that is a party to the Agreement receive this DPA.

This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Client and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.

In the course of providing the Bluefin Services to Client pursuant to the Agreement, Bluefin may process personal data on behalf of Client. Bluefin agrees to comply with the following provisions with respect to any personal data submitted by or for Client in the provision of the Bluefin Services or collected and processed by or for Client through the Bluefin Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.

Data Processing Terms

In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.

Definitions such as “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable Data Protection Legislation. For reference, see GDPR text here:

Roles of the Parties

Depending on the Bluefin Services being addressed, Bluefin may act either as a data controller or a data processor. For the purposes of this DPA, and the Bluefin Services addressed here, Bluefin is the data processor. Parties agree that Client is the data controller and that Bluefin is its data processor in relation to personal data that is processed in the course of providing the Bluefin Services. Client shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Bluefin pursuant to the Agreement.

The subject-matter of the data processing covered by this DPA are the Bluefin Services ordered by Client, as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Client’s ordering of the Bluefin Services ceases. Further details of the data processing are set out in Annex 1 hereto.

In respect of personal data processed in the course of providing the Bluefin Services, Bluefin:

  1. shall process the personal data only in accordance with the documented instructions from Client (as set out in this DPA or the Agreement or as otherwise notified by Client to Bluefin (from time to time). If Bluefin is required to process the personal data for any other purpose provided by applicable law to which it is subject, Bluefin will inform Client of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
  2. shall notify Client without undue delay if, in Bluefin’s opinion, an instruction for the processing of personal data given by Client infringes applicable Data Protection Legislation;
  3. shall implement and maintain appropriate technical and organizational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
  4. may hire other companies to provide limited services on its behalf, provided that Bluefin complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Bluefin has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Bluefin shall be liable for the acts and omissions of its sub-processors to the same extent Bluefin would be liable if performing the services of each sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement. Any subcontractors to whom Bluefin transfers personal data will have entered into written agreements with Bluefin requiring that the subcontractor abide by terms substantially similar to this DPA.
  5. shall ensure that all Bluefin personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
  6. shall to the extent legally permitted, promptly notify Client if Bluefin receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Bluefin shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request Bluefin shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Bluefin is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from Bluefin’s provision of such assistance.
  7. shall take reasonable steps at the Client’s request and cost to assist Client in meeting Client’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Bluefin reserves the right to reimbursement from Client for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
  8. at the end of the applicable term of the Bluefin Services, and in accordance Bluefin’s Data Retention Cycle, upon Client’s request, Bluefin shall securely destroy or return such personal data to Client;
  9. may transfer personal data from the EEA to the US for the purposes of this DPA pursuant to the EU-US Privacy Shield provided that Bluefin maintains its certification under the EU-US Privacy Shield;
  10. upon reasonable request, at Client’s sole expense (including reasonable compensation to Bluefin for time and expense) Bluefin shall allow Client and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Bluefin in connection with the provision of the Bluefin Services, and provide all reasonable assistance in order to assist Client in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Bluefin is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Bluefin of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Bluefin’s IT personnel.  Such audit may be carried out by Client or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Bluefin’s IT system, source code, data hosting sites or centers, or infrastructure will be permitted. Any audit or audit related activities (i.e. interviews with Bluefin IT personnel, requested resources, and personnel) shall be at Client’s sole expense, to the extent permitted by law;
  11. If Bluefin becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Bluefin in the course of providing the Bluefin Services (an “Incident”) under the Agreement it shall without undue delay notify Client and provide Client (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Client Content. Bluefin shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
  12. Bluefin shall provide information as reasonably requested by Client to demonstrate compliance with the obligations set out in this DPA.

Limitation of Liability

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Bluefin, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

For the avoidance of doubt, Bluefin’s and its Affiliates’ total liability for all claims from the Client and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Client and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Client and/or to any Authorized Affiliate that is a contractual party to any such DPA. Also, or the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.

Annex 1

Details of the Data Processing

Bluefin shall process information to provide the Bluefin Services pursuant to the Agreement. Bluefin shall process information sent by Client’s end users identified through Client’s implementation of the Bluefin Services.  As an example, in a standard programmatic implementation, to utilize the Bluefin Services, Client may allow the following information to be sent by default as “default properties:”

Types of Personal Data

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

Field Comment
Full Credit and ACH details
tender_type* Credit, Debit, ACH
name Consumer name
last4 Could also be last 4 of ACH account
user_data Custom field for Merchant
authorization_msg returned from processor
authorization_code returned from processor
avs_response returned from processor
cvv2_response returned from processor
ip_address IP address of Merchant or terminal
cashier name of store employee
street_address1 of consumer
city of consumer
state of consumer
zip of consumer
country of consumer
phone of consumer
email of consumer
Custom ID Custom field for Merchant
noc_data ACH notification data
Input Group
* Indicates mandatory field


Categories of Data Subjects

Client may submit Personal Data to the Bluefin Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, Clients, business partners and vendors of Client (who are natural persons)
  • Employees or contact persons of Client’s prospects, Clients, business partners and vendors
  • Employees, agents, advisors, freelancers of Client (who are natural persons)
  • Client’s Users authorized by Client to use the Services

Processing Activities

The provision of Bluefin Services by Bluefin to Client, including credit, debit, and ACH payment processing.