Terms & Conditions

You can download our Terms & Conditions here

General Terms and Conditions 3.0 (25 May 2018)

A. GENERAL

1. Definitions

The following words are capitalised in these General Terms and Conditions. These definitions have the same meaning in the singular and in the plural form.

Account: Setting up a virtual account that can be used to process Transactions, linked to a number of Transactions determined by ICEPAY that is made available to the Customer as an offered package.

Acquiring Partner: A financial institution that offers credit cards or debit cards and that processes these transactions.

Annexes: The Annexes attached to these General Terms and Conditions. The Annexes form part of the Agreement. The General Terms and Conditions prevail in case of a conflict between the Annexes and the General Terms and Conditions.

Back-up: Backup copies of digital data and/or files.

Business Days: Every Monday through Friday between 09:00 - 17:30 hours CET, with the exception of Dutch public holidays.

Chargeback: Reversal by the Acquiring Partner of a Transaction performed previously by an End User that is settled with the Customer by ICEPAY.

Conditions: These ICEPAY General Terms and Conditions that were also filed with the Haaglanden Chamber of Commerce under number 27348492.

Contract: All of the agreements between the Customer and ICEPAY concerning the provision of Payment Services, including the Platform Contract, the Price List, the Conditions, Annexes, Third- Party General Terms and Conditions and any alterations thereof.

Customer: A natural person or a legal entity acting in the conduct of a profession or business, who operates a webshop and instructs ICEPAY to deliver the Payment Services. The Customer is responsible for and bears the risk of payment on the part of End Users, inter alia in case of Chargebacks, reversals and fraud.

End User: buyers who purchase and pay for a product or service from the Customer on the website or in the Customer’s physical store using the ICEPAY Payment Services.

Force majeure: Force majeure is defined as any circumstance beyond ICEPAY’s control as a result of which full or partial compliance with the Contract becomes temporarily or permanently impossible, such as but not limited to failures on the part of third parties to comply with the Third-Party Services, failures on the part of suppliers, the fact that necessary information is not available on time, changes or inaccuracies in the information that has been provided, poor weather conditions, fires, explosions, electricity and other grid failures, floods, illness, lack of personnel, strikes or other industrial disputes, accidents, government acts, rejection or impossibility of a required permit or approval or the extension thereof, scarcity of materials, theft, and/or traffic nuisance.

High-risk Country: a country in which a high level of terrorism and/or other forms of crime exist.

Holdback: the (fixed) percentage or fixed amount agreed in the Platform Contract, which is reserved by ICEPAY in respect of the End User’s payment by way of surety for Chargebacks, refunds, reversals etc.

ICEPAY: ICEPAY B.V. and its successors in title or a company affiliated with ICEPAY B.V., which provides the Payment Services.

Identification details and information: Login name, passwords, address details and/or other codes provided to the Customer by ICEPAY for the purpose of gaining access to the Payment Services, including information regarding the nature and scope of the conduct of a profession or a business and all unique webshops/URLs connected directly or indirectly or linked to the Platform for this purpose. ICEPAY has the right to alter the Identification Details. ICEPAY will communicate new Identification Details to the Customer following changes. The Customer handles the Identification Details provided by ICEPAY in confidence and with due care and it will only disclose them to authorised employees.

Infrastructure: All of the systems, hardware, software, network components and connections required for the delivery and receipt of Payment Services. This collection of facilities is used among other things to store and transport data.

Offer: An offer of products and/or Payment Services made by ICEPAY to the Customer.

Payment Services: ICEPAY services that facilitate the fact that the Customer is able to accept online and/or point-of-sale payments via various payment methods from its End Users, which includes the authorisation of payments, the financial settlement thereof, reporting, making supporting web applications and Infrastructure available as well as any related services.

PEP: Politically Exposed Person; prominent political person.

Permit: A written legal act under public law performed by De Nederlandsche Bank (DNB) or another government body, which gives ICEPAY rights as regards the provision of the Payment Services.

Personal Data Legislation: the EU Data Protection Legislation 95/46/EC until 25 May 2018, and on and after that date, the General Data Protection Regulation 2016/979 (GDPR); GDPR definition used: data controller, data processor, processing, data breach.

Platform Contract: The form completed online by means of which the Customer has concluded the Contract with ICEPAY subject to the condition subsequent of a positive outcome of the customer screening and ICEPAY’s acceptance via the Suppliers of Payment Methods.

Price List: The price list as provided as an annex to the Platform Contract.

Rules & Regulations: The conditions of use that apply to the use by the Customer of the Payment Services and Third-Party Services purchased from ICEPAY. These conditions are issued by ICEPAY and the Suppliers of Payment Methods. The Rules & Regulations prevail in case of a conflict between the Rules & Regulations and the Conditions.

Second Line Support: Oral and/or written support provided to the End User in connection with a Transaction if such is requested by the Customer. The Customer remains responsible at all times for the relationship with the End User and provides first-line support.

Stichting Derdengelden: All ‘Stichting Derdengelden affiliated with ICEPAY and supervised by De Nederlandsche Bank (DNB). Stichting Derdengelden performs certain services on behalf of ICEPAY as part of the Payment Services, which are limited to the activities mentioned in article 23. ICEPAY remains responsible towards the Customer at all times for the provision of the Payment Services.

Supplier Payment Methods: third parties that deliver a specific payment method or that manage a network, such as the Acquiring Partner, Visa, MasterCard, Currence (iDEAL) and banks. Supplier Payment Methods deliver Third-Party Payment Services, which are used by ICEPAY to deliver its Payment Services.

Third-Party General Terms and Conditions: General terms and conditions applied by third parties, such as the Supplier Payment Methods (including but not limited to: Card Associations such as Visa/MasterCard).

Third-party Infrastructure: That part of the Infrastructure that is managed by third parties or the Customer.

Third-party Services: All third-party products and services delivered (on) by ICEPAY (including Supplier Payment Methods).

Transaction Data: The data entered by the Customer and/or End Users for the purpose of carrying out a Transaction, such as but not limited to personal data required for ICEPAY’s provision of the Payment Services.

Transaction(s): a payment request made by an End User for payment to the Customer, which is processed by ICEPAY, irrespective of whether payment is successful and/or concerning a reversal of a payment that has been processed.

2. Applicability

2.1 The Conditions apply to all Contracts and Offers on the part of ICEPAY.

2.2 The Conditions apply to the exclusion of the Customer’s conditions.

2.3 ICEPAY has the right at all times to make changes or additions to the Conditions. The changed Conditions will be notified to the Customer and they will become effective upon that notification. If the Customer does not agree to the changes, the Customer will have the right to terminate the Contract with notification thereof within the term of 30 days provided for above.

2.4 If the Customer refers to several natural persons or legal entities, these will be obliged jointly and severally to comply with the Contract.

2.5 Rules & Regulations may apply in addition to the Conditions. The Customer is responsible for familiarising itself with the Rules Regulations that apply to the Payment Services and Third Party Services to be purchased by it.

3. Offers

3.1 Offers are without obligation, unless agreed otherwise. Errors or mistakes on the part of ICEPAY are not binding for ICEPAY.

3.2 Offers are based on the information provided by the Customer in accordance with article 7.

3.3 If an Offer is not without obligation it will be valid for a period of 14 (fourteen) days after the date of the Offer unless agreed otherwise. The Offer lapses and no rights can be derived therefrom if the Customer has not accepted the Offer within the aforementioned term. In the event acceptance deviates from the Offer in minor respects (such to be decided by ICEPAY), ICEPAY will not be bound by these minor changes.

3.4 A compound quotation does not oblige ICEPAY to deliver part of the Payment Services against a proportionate part of the offered price.

3.5 Offers do not apply to future Contracts.

3.6 Offers and obligations to comply with Payment Services for which ICEPAY requires an (additional) Permit or registration in case of Suppliers of Payment Methods will take place subject to the condition precedent that ICEPAY obtains this Permit and/or registration, or has this Permit and/or registration and does not lose it.

4. Conclusion and duration of the Contract

4.1 The Contract is concluded between ICEPAY and the Customer at the moment the Platform Contract signed by the Customer has been accepted electronically and activated by ICEPAY, subject to the conditions mentioned in the Platform Contract.

4.2 The Contract has a minimum term of three (3) months. The Customer cannot terminate the Contract during this initial term. ICEPAY reserves the right to dissolve or terminate the Contract in accordance with the conditions of the Contract during the initial term. Following this initial term, the Contract will be extended automatically for an indefinite period, unless it is terminated in writing before the end of a calendar month: a) by the Customer while observing a notice period of one (1) month; or b) by ICEPAY while observing a notice period of two (2) months. This provision is without prejudice to all other rights that vest in the Customer or ICEPAY to dissolve or terminate the Contract in accordance with the conditions of the Contract.

4.3 ICEPAY has the right to suspend performance of the Payment Services and/or suspend or dissolve the Contract in whole or in part or withdraw the Offer without (prior) notice of default and without any liability for damage arising if:
(a) the Customer is a natural person and dies;
(b) the Customer submits a request for application of the Debt Management (Natural Persons) Act;
(c) the Customer loses control and/or the right to dispose of his assets, or is longer legally competent;
(d) the creditworthiness or payment behaviour of the Customer includes a risk (such to be decided exclusively by ICEPAY);
(e) the Customer is requested to provide security for compliance with its obligations arising from the Contract, at the moment of or after conclusion of the Contract and said security is not provided or is insufficient (such to be decided exclusively by ICEPAY);
(f) bankruptcy or a suspension is applied for by or against the Customer;
(g) the Customer is declared bankrupt or is granted a suspension of payment;
(h) the Customer’s business is liquidated or terminated, other than for the purpose of reconstruction or a merger of businesses;
(i) the product sold/service provided by the Customer or its business operations no longer complies or no longer continuous to comply with ICEPAY’s requirements (such to be decided exclusively by ICEPAY);
(j) the Customer does not process Transactions for a consecutive period of 3 (three) months;
(k) for credit card solution, the Customer significantly exceeds (decreases) the approved transaction volumes without notification to ICEPAY;
(l) Payment Services are used for criminal, fraudulent or unlawful activities;
(m) the Customer initiates Transactions that are in contravention of ICEPAY’s acceptance policy, Suppliers of Payment Instruments and/or the Rules & Regulations;
(n) ICEPAY’s Permit or registration with a Supplier of Payment Methods is withdrawn;
(o) compliance is impossible or cannot be demanded of ICEPAY within reason;
(p) other circumstances occur as a result of which unaltered maintenance of the Contract cannot be expected of ICEPAY within reason;
(q) the Customer does not comply with its obligations arising from article 19 or the (repeated) customer screening results in the fact that ICEPAY is not or no longer willing to do business with the Customer or a circumstance occurs as referred to in articles 19, 20 and/or 23.10;
(r) the fraud/reversal rate of the Transactions is unacceptable under the Rules & Regulations or according to ICEPAY;
(s) ICEPAY processes Transactions for URLs that have not been approved by ICEPAY;
(t) changes the nature of the business, operations (e.g. but not limited to, changes of the processing currency, location, target customers, etc.) or ownership without prior approval by ICEPAY;
(u) the risk profile of ICEPAY Transactions (volume or mix) changes to a material extent;
(v) the Customer does not have a sound (such to be decided by ICEPAY) complaints/refund procedure in place or its website does not comply with the requirements under the Rules & Regulations (such as clear notification of the name and location of the Customer to End User), and/or;
(w) any other circumstance occurs or any other act on the part of ICEPAY which - in ICEPAY’s perception - has an impact on the Customer’s proper compliance with the Contract and/or the Rules & Regulations or has a negative impact on the integrity, reputation or brand of ICEPAY and/or the Suppliers of Payment Methods;
(x) breaches any provision of the Platform Contract and this Terms and Conditions.

4.4 In case of suspension under article 4.3., ICEPAY will enable the Customer to remedy the circumstance that leads to the suspension. ICEPAY reserves the right to dissolve the Contract if this does not take place within 10 (ten) Business Days. Depending on the cause of the suspension, ICEPAY has a right to increased or impose an additional service fee.

4.5 In the event the Contract is dissolved by ICEPAY, the Customer will be obliged to pay the amounts mentioned in the Price List for the Payment Services provided up to the termination of the Contract. Any claim on the part of ICEPAY against the Customer is immediately due and payable. In case the dissolvent is caused by the serious breach of the contract (to be determined solely by ICEPAY), ICEPAY has a right to impose an increased service fee.

4.6 After the Contract has ended, the obligations that are intended by their nature to continue to apply, such as but not limited to articles 8, 9, 12, 21.2 and 23.11, will continue to apply in full.

5. Performance of the Contract

5.1 The availability and provision of the Payment Services concerns a best-efforts obligation.

5.2 ICEPAY will perform the Contract to the best of its knowledge and abilities, in accordance with the agreements reached with the Customer.

5.3 ICEPAY has the right to change the Payment Services. ICEPAY will notify the Customer of the substance of changes before the relevant change becomes effective.

5.4 The Customer has the right to change its Account into a lesser Account (downgrade) against payment of 50% of the payable costs related to the Account selected by the Customer.

6. Transfer of rights and obligations

6.1 The Contract concluded between ICEPAY and the Customer and rights and obligations that arise therefrom cannot be transferred to third parties or encumbered without the prior, written approval of ICEPAY.

6.2 The Customer agrees that ICEPAY has the right to transfer (parts of) (its rights and obligations arising from) the Contract or parts thereof, to third parties.

7. Cooperation/duty of disclosure on the part of the Customer

7.1 ICEPAY will deliver Payment Services on the basis of the information provided to ICEPAY by the Customer.

7.2 The Customer will render ICEPAY its full cooperation and always provide all necessary information for: (i) proper performance of the Contract;
(ii) identification and verification of the Customer;
(iii) verification of the Customer’s compliance with this Contract or the Rules & Regulations;
(iv) validation of the Customer’s financial position and risk profile, and/or;
(v) verification of information provided previously. The Customer guarantees the accuracy of this information. Without prejudice to the provisions above, the Customer will provide ICEPAY at all times with the valid addresses of its offices, any trade names and a full description of its products and/or Payment Services.

7.3 If information that is required for the performance of the Contract is not available (on time) to ICEPAY changes, or the information that was provided proves to be incorrect or misleading or if the Customer otherwise fails to comply with its obligations, ICEPAY will have the right to terminate the Contract or suspend its obligations on the basis of the Contract without prior notification in accordance with article 4.3. The costs already incurred will be charged to the Customer upon termination.

7.4 The Customer is responsible for the use and correct application within its organisation of the Payment Services to be provided by ICEPAY as well as for the tools to be used in that connection of any kind whatsoever and for the security thereof.

7.5 The Customer will comply at all times with the rules and instructions of ICEPAY and the Suppliers of Payment Instruments. If the Customer fails to comply with its obligations in this article, ICEPAY will have the right to suspend all or part of its Payment Services.

8. Confidentiality/Non-competition clause

8.1 ICEPAY and the Customer commit towards each other that they will observe confidentiality concerning each other’s organisation, such as but not limited to information concerning customers and Payment Services, which comes to their attention during the performance of the Contract.

8.2 ICEPAY has the right to place the name and logo of the Customer on the ICEPAY website and/or a list of references and disclose it to third parties.

8.3 The Customer will not establish direct or indirect professional relationships with ICEPAY employees in any way during the term of the Contract and for a period of up to 12 (twelve) months after the Contract has ended, unless it has obtained ICEPAY’s written approval to do so.

9. Intellectual property rights

9.1 ICEPAY reserves all intellectual property rights, industrial property rights and all other rights with respect to all Payment Services, the ICEPAY Infrastructure and Offers. The Customer is not allowed to reproduce, surrender to third parties or give in use the Payment Services and/or Offers in any way.

9.2 Any intellectual property rights arising from the performance of the Contract are the property of ICEPAY.

9.3 The Customer is not allowed to remove or have removed or change any indication regarding the aforementioned intellectual property rights, industrial property rights or any other rights.

9.4 The intellectual property rights concerning the altered Payment Services held by ICEPAY continue to vest in ICEPAY irrespective of the party that makes the changes to the Payment Services. If the aforementioned rights do not vest in ICEPAY, the Customer will arrange for the transfer of the aforementioned rights to ICEPAY free of charge.

9.5 If the Customer forms a new product of the Payment Services, all intellectual property rights in respect thereof shall vest in ICEPAY.

9.6 If third parties claim these intellectual property rights, the Customer will be obliged to notify ICEPAY thereof without delay.

10. Penalty Clause

10.1 In the event the provisions of article 8 and/or 9 are violated, the Customer shall forfeit without further notice of default an immediately due and payable penalty of €10,000 (ten thousand euros) per violation as well as €5,000 (five thousand euros) for each day the violation continues, which is to be paid to ICEPAY, without prejudice to ICEPAY’s right to claim additional compensation and/or to dissolve the Contract with immediate effect.

11. Complaints

11.1 Complaints must be submitted electronically by the Customer to ICEPAY at the e-mail address stated for this purpose on the website within eight days, failing which it will be assumed that the Customer has accepted the Service unconditionally.

11.2 Following its receipt, the complaint will be registered and forwarded to the responsible ICEPAY department.

11.3 Complaints are not handled if the complaint is caused by a change to the Service by the Customer or a third party.

11.4 ICEPAY will handle the complaint if the complaint is well-founded (such to be decided by ICEPAY).

11.5 Complaints from End Users are always forwarded to the Customer and will also be registered at ICEPAY for the purpose of combating fraud. ICEPAY has the right to charge costs for handling complaints in accordance with the Price List.

11.6 The Customer has a well-documented and functioning complaints and escalation procedure in place for its End Users, which includes a telephone reporting centre and an e-mail address, which complies with the requirements imposed in that connection by the banks and institutions that process payments for the Customer.

12. Liability

12.1 ICEPAY’s liability is limited to compensation of direct loss up to the amount (excluding VAT) that was invoiced to the Customer on the basis of the Contract during the calendar year of submission of the complaint, subject to a maximum of €100, (one hundred thousand euros), unless ICEPAY has taken out insurance with respect to the loss in which case the loss is maximised at the insured amount.

12.2 The Customer indemnifies ICEPAY against liability towards third parties, including - but not limited to - End Users and Suppliers of Payment Methods with respect to Transactions or any other claims that are the result of any failure on the part of the Customer concerning its services, failure to comply with the Contract, the Third Party General Terms and Conditions and/or the Rules & Regulations. This liability continues to apply in full after this Contract has been terminated.

12.3 ICEPAY is not liable if the Customer itself is in default.

12.4 ICEPAY is never liable for losses that arise or that are caused as a result of the fact that the Customer used the Payment Services for a purpose other than the one for which they were provided.

12.5 Direct loss includes exclusively the reasonable costs: a) incurred by the Customer to have the ICEPAY Service comply with the Contract unless the Contract is dissolved by the Customer or the Service of Payment Services are suspended by ICEPAY; b) incurred for the purpose of determining the cause and extent of the loss; c) incurred in order to prevent or mitigate loss, to the extent the Customer demonstrates that these costs have led to a limitation of the loss.

12.6 ICEPAY’s liability for indirect loss, including consequential losses, lost profit, missed savings, destruction or loss of files and/or data, loss due to delay, losses sustained, losses caused by defective provision of information and/or defective cooperation by the Customer, losses resulting from business interruption or third-party claims against the Customer are excluded.

12.7 ICEPAY’s liability does not arise until the Customer has given ICEPAY notice of default in writing by means of a registered letter within 2 (two) weeks after the loss arises, which notice of default provides a reasonable term for remedying the failure, ICEPAY attributably fails also after that term to comply with its obligations and the Customer implements measures to limit the loss. The notice of default must include a description of the failure that is as accurate as possible.

12.8 ICEPAY is not liable for losses that are the result of the failure to provide (on time) Third Party Services or for losses that are the result of the fact that ICEPAY is obliged to comply with certain changing and new legislation and other regulations.

12.9 The Customer acknowledges at all times - including after the Contract has been terminated - that it is liable for and the Customer will indemnify ICEPAY against all claims with respect to Transactions performed by it as well as any losses that result therefrom, including - but not limited to - reversals, chargebacks and/or penalties arising from the Rules & Regulations or this Contract.

12.10 The Customer acknowledges that ICEPAY is not a party to the agreement between it and End Users. The Customer indemnifies ICEPAY against all claims from End Users.

12.11 Without prejudice to the provisions of Article 6:89 of the Dutch Civil Code (BW) and the term for submitting complaints included in these conditions, every claim against ICEPAY prescribes in any event 12 (twelve) months after the event that caused the loss was discovered or should have been discovered by the Customer within reason.

13. Force Majeure

13.1 ICEPAY is not obliged to comply with the Contract if it is prevented from doing so as a result of Force Majeure. ICEPAY also has the right to invoke Force Majeure if Force Majeure occurs after ICEPAY should have complied with its obligations.

13.2 If the failure resulting from Force Majeure is temporary in nature, ICEPAY will have the right to suspend its obligations until the situation of force majeure no longer exists such without being obliged to compensate losses. In case of Force Majeure, ICEPAY reserves the right to claim payment from the Customer for performances already delivered by ICEPAY.

13.3 Failure as a result of Force Majeure does not give the Customer the right to dissolve the Contract and/or entitle it to compensation unless the failure lasts for more than three (3) months.

14. Nullity

14.1 If one or more provisions of the Contract are void or voidable in whole or in part, the other (parts of the) provisions of the Contract will continue to apply in full.

14.2 The parties will consult with each other concerning the (parts of the) provisions that are void or voidable in order to implement a replacement arrangement in the sense that the parties will endeavour to ensure that the purport of the Contract (or the remaining part of the provision) remains in force in its entirety.

15. Applicable Law and Dispute Settlement Rules

15.1 All contracts concluded by ICEPAY with the Customer are governed by Dutch law, unless agreed otherwise. The Vienna Sales Convention does not apply. Other disputes will be settled by the Amsterdam District Court, such to be decided by ICEPAY.

16. Inspections

16.1 ICEPAY has the right to process technical restrictions and control mechanisms in the Payment Services. In addition, ICEPAY and/or the Suppliers of Payment Methods have the right to perform unannounced inspections themselves or via third parties with respect to compliance with this Contract and/or the Rules & Regulations. The Customer will cooperate fully in this connection. If the Customer refuses to cooperate or refuses to grant ICEPAY access, ICEPAY will have the right to dissolve the Contract with immediate effect.

17. Second Line Support

17.1 The Customer is responsible for First Line Support. ICEPAY will provide Second Line Support in accordance with the rates of the Price List if the Customer does not facilitate this First Line Support sufficiently or at the request of the Customer.

B. INTEGRITY

18. Supervision

18.1 ICEPAY is an ethical company that acts in accordance with legislation and regulations and it is supervised by DNB. The Customer is aware that as a payment service provider ICEPAY is subject to statutory obligations and it will indemnify ICEPAY against losses it sustains in connection with the application of relevant legislation and regulations within the context of the performance of the Contract and/or the Offer.

19. Customer screening

19.1 Within the context of customer screening as condition subsequent for the conclusion of the Contract, ICEPAY will conduct a full investigation of the Customer, the Customer’s profile and Know-Your-Customer documentation delivered, its products and/or services, in accordance with the Platform Contract. The Customer will also be identified and verified and it will be investigated who the ultimate beneficial owners of the Customer are. Regular reassessments of the customer file, inspections and transaction monitoring will be performed following acceptance of the Customer. The Customer will ensure at all times that its customer file at ICEPAY is correct and up-to-date. A successful completion of the customer screening is required and is a condition pre-requisite in order to receive payments by the Customer.

19.2 The Customer guarantees towards ICEPAY that all (Know-Your-Customer) information and documentation that has been delivered is complete and correct. The Customer is required to notify ICEPAY immediately of new URLs (including in the event these are linked directly or indirectly to an URL that has already been assessed) and or changes to the Customer’s customer file in the manner prescribed for this purpose, whereafter a new screening will be performed for the aspects described in 2.2.1.

19.3 In addition to ICEPAY’s rights in accordance with article 4.3, in the event the Customer abuses the Payment Services, commits fraud, acts in contravention of legislation and regulations and/or the Rules & Regulations, deliberately provides incorrect information or performs any other fraudulent and/or abusive act, the Customer will owe a penalty to be paid to ICEPAY, without requiring further notice of default, as provided for in article 19. 5 , without prejudice to ICEPAY’s right to claim additional compensation, including loss of sales if ICEPAY also dissolves the Contract as well as the right to claim other costs such as legal and research costs. The amount of the penalty will be determined in accordance with ICEPAY’s (reasonable) opinion depending on the seriousness of the circumstances of the case in accordance with the categories in article 19. 5.

19.4 ICEPAY reserves the right to turn collection of the penalty over to a third party. All related costs are for the account of the Customer that forfeits the penalty.

19.5 Category 1: A penalty of €3,000 (three thousand euros) per violation and €1, (fifteen hundred euros) for every day the violation continues, Category 2: A penalty of €5,000 (five thousand euros) per violation and €2,500 (twenty-five hundred euros) for every day the violation continues, Category 3: A penalty of €10,000 (ten thousand euros) per violation and €5,000 (five thousand euros) for every day the violation continues.

20. Fraud / Money Laundering

20.1 ICEPAY reserves the right, such to be decided by it, to suspend all or part of the Payment Services and/or to dissolve the Contract, if it is established or the suspicion exists that the Customer and/or its ultimate beneficial owner act in contravention of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft) inter alia (but not limited to) by serving fraudulent, money- laundering or terrorist purposes, or performs activities in respect of High-risk Countries or PEPs (unacceptable to ICEPAY), infringes the rights of Suppliers of Payment Methods or third parties and/or acting contrary to the Rules & Regulations and/or the Contract.

20.2 ICEPAY may submit a report to the police concerning fraud or other conclusions or, as the case may be, suspicions as referred to in article 20.1.

20.3 The costs related to investigation will be charged to the Customer in accordance with article 20.1 on the basis of subsequent calculation at an hourly rate of €100.

20.4 ICEPAY reserves the right to change the risk scoring of the Customer, in case ICEPAY in its reasonable discretion on the basis of clear and objective indications judges these to pose an unacceptable risk for accepting fraudulent transactions or creating increased chargeback levels. For some payment methods, Transactions can be cancelled by the Customer after they have been authorised. The final responsibility for accepting or rejecting a Transaction will remain with the Customer. ICEPAY reserves the right to cancel transactions that it has reasonable grounds to suspect to be fraudulent or involving other criminal activities.

20.5 In case of an increased level of fraud and chargeback levels, ICEPAY reserves the right to impose on a Customer a fraud prevention tool.

###21. Rules & Regulations

21.1 When performing their obligations arising from this Contract and when performing or, as the case may be, receiving the Payment Services, both parties will always comply with the Rules & Regulations, including but not limited to the Payment Card Industry Data Security Standards (PCI-DSS). The Customer will provide evidence of its compliance with the PCI-DSS standards upon request.

21.2 The Customer will indemnify ICEPAY against any and all claims from Suppliers of Payment Instrument and issuers of Rules & Regulations with respect to a failure to comply with its obligations under the Rules & Regulations. This liability will continue to apply also after this Contract has been terminated.

C. PAYMENT SERVICES

22. General

22.1 ICEPAY provides Payment Services. ICEPAY may deliver these Payment Services with respect to credit card Transactions as Payment Service Provider (PSP) or as Payment Facilitator (PF) as laid down in the Rules & Regulations. In the event ICEPAY operates as PF, it acts on behalf of the Acquiring Partner when concluding this Contract.

22.2 The Customer acknowledges that it is responsible and liable (financially) at all times for all Transactions processed under its account with ICEPAY during the term of the Contract and after it has ended, including the liabilities that arise therefrom such as Chargebacks, reversals, penalties, etc. The Customer does not have the right to process Transactions from third parties or from webshops that are not owned by the Customer.

23. Stichting Derdengelden

23.1 ICEPAY has outsourced the collection of funds to Stichting Derdengelden. Stichting Derdengelden manages part of the funds received on behalf of the Customer until the moment of payment to the Customer in accordance with the Contract.

23.2 Unless another payment method is agreed, the Customer agrees that the payments of End Users are paid by the Suppliers of Payment Methods into a bank account of Stichting Derdengelden.

23.3 ICEPAY will send the Customer an overview on a regular basis (Outpayment Overview) of the funds received by Stichting Derdengelden on behalf of the Customer, which specifies what part of those amounts accrues to the Customer and what part accrues to ICEPAY on the basis of the Contract. There will be 1 (one) Business Day between the dispatch of the Outpayment Overview and collection of the payable amount evident therefrom in accordance with the next article. ICEPAY will also invoice the Customer on a regular basis subject to a payment term of 14 (fourteen) days in which connection ICEPAY will charge to the Customer the part of the funds received by Stichting Derdengelden that accrues to it. In the event ICEPAY owes an amount to the Customer on the basis of an Outpayment Overview, ICEPAY will pay this amount to the Customer within 5 (five) Business Days after the Outpayment Overview becomes available (and only under the condition, that the payments of End-Users have been priorly received by Stichting Derdengelden).

23.4 When concluding the Contract, the Customer grants (depending on the nature of the Service)
(i) an irrevocable power of attorney to ICEPAY to collect from Stichting Derdengelden the amounts owed by the Customer to ICEPAY pursuant to the Contract (such as but not limited to service fee, refunds, Chargebacks, Outpayment Overview, amounts invoiced), or
(ii) debit the payable amounts from the Customer’s account by means of direct debit collection. The Customer will have this power of attorney registered with his or her bank, failing which ICEPAY will have the right to suspend its obligations.

23.5 In the event option (i) of the previous article applies, Stichting Derdengelden will have the right to set the payable amounts off against the amounts Stichting Derdengelden is required to pay to ICEPAY and to pay the remainder to the Customer.

23.6 Stichting Derdengelden has the right to suspend payment in the event a third party claims this payment or to make this payment to a third party if it is obliged to do so pursuant to an enforceable title. In such cases, Stichting Derdengelden also arranges for payment of the amounts owed by the Customer to ICEPAY. ICEPAY may charge administrative costs in this connection.

23.7 In the event collection of the invoiced amount does not succeed in the calendar month of the invoice (despite the request from ICEPAY side), ICEPAY will collect the amount from Stichting Derdengelden / the Customer the next calendar month. An amount of €40 (forty euros) in administration costs will be charged to the Customer in such cases.

23.8 In the event ICEPAY is also unable for any reason whatsoever to collect or does not receive its claim against the Customer from the Customer in this second calendar month, the Customer will owe statutory interests and costs on the outstanding amount without prior notification from the first day after expiry of a period of 14 (fourteen) days after the date of invoicing until the day of payment in full. The claim may be turned over to a third party for collection in which case the Customer will be obliged to compensate extrajudicial and judicial costs subject to a minimum of 15% of the outstanding amount.

23.9 Payment by the Customer serves primarily to pay the collection costs incurred by ICEPAY and subsequently to pay the interest and finally to pay the outstanding amount.

23.10 In case of (a suspicion of fraud) on the part of the Customer and/or (a) certain End User(s), ICEPAY will have the right to implement all measures to minimise its loss and the loss of Stichting Derdengelden, such as (but not limited to) suspension of its Payment Services in accordance with article 4.3, which includes blocking payments to the Customer and the automatic collection of balances with the Customer related to reversals, refunds, chargebacks etc.

23.11 The Customer is responsible and liable at all times for the Transactions processed by ICEPAY as well as all losses that may arise as a result. In the event a negative balance arises at Stichting Derdengelden as a result of reversals, refunds, Chargebacks and penalties imposed by ICEPAY or the Suppliers of Payment Methods, ICEPAY will have the right to suspend its obligations and the Customer will be obliged to make up the deficit within ten (10) days. In addition to statutory interest, ICEPAY will have the right to charge €25 in administration costs for each day the claim has not been paid. ICEPAY has the right to dissolve the Contract if the Customer fails to comply with its obligations under this article.

23.12 The Customer acknowledges that ICEPAY has the right at all times, in the event (fixed) Holdbacks are necessary, to withhold a (fixed) percentage from the payments to the Customer or demand a fixed amount as surety for Chargebacks, reversals and other risks with respect to the Transactions. The levels of the various Holdbacks may be adjusted by ICEPAY at any time during the term of the Contract, if such is justified by the Customer’s risk profile and/or its Transactions. The amounts that are withheld will be paid in due time. The withholding percentage or the fixed amount may be adjusted by ICEPAY in consultation with the Customer. Nevertheless, the Customer acknowledges that the ultimate decision is always ICEPAY’s. ICEPAY will exercise its rights pursuant to this article with the necessary care. Any Holdbacks may be retained by ICEPAY for a period of 6 (six) months after termination of the Contract or after delivery of the services by the Customer to End Users if such is necessary to cover its financial risks, including but not limited to chargebacks, penalties and reversals.

23.13 ICEPAY has the right to retain the Customer’s full payment for an indefinite period by way of a Holdback in the event of an ongoing investigation into the (organisation of the) Customer, irrespective of the Customer or the nature of this investigation also in the event ICEPAY is not allowed to make any statements concerning this investigation. Depending on the conclusion of such investigation, ICEPAY has a right to increase the service fee up to a 100% of Customer’s turnover to cover the incurred costs and liabilities.

24. Interest rate and exchange rate mark-ups

24.1 Changes to the interest rate or the exchange rate can be applied immediately by ICEPAY without notification in which connection the changes are based on the reference interest rate or the reference exchange rate that has been agreed.

24.2 In case of Transactions that are performed in countries that are not part of the European Monetary Union (EMU), ICEPAY charges an exchange rate mark-up of 1 % on the transaction amount in euros (on the top of any charges applied by the Suppliers Payment Methods).

25. Systems

25.1 Within the context of the access to and use of the Payment Services, the Customer has and will continue to have an Infrastructure in place that complies with the requirements determined by ICEPAY. ICEPAY’s obligation to provide the Payment Services will be suspended by ICEPAY if the Customer fails to comply with these requirements or adds a new website that is not in compliance.

25.2 The Customer enables ICEPAY to check whether the requirements referred to in this article are being complied with and to analyse the use of the Payment Services. The results of any analysis will not be made available to third parties. This does not apply to figures and data concerning the use of the Payment Services that cannot be traced back directly to the Customer’s use.

25.3 If the Customer fails, as yet after an inspection, to comply with the requirements referred to in article 25.1, ICEPAY will have the right to terminate all or part of the Contract without prior notice of default.

25.4 The Customer is obliged to comply with ICEPAY’s instructions concerning the use of the Payment Services and/or adjustments to its website(s).

25.5 A malfunction in the Payment Services must be notified immediately by the Customer to ICEPAY.

25.6 The costs of resolving the malfunction are for the Customer’s account if it becomes clear that the cause of the malfunction is attributable to its acts or omissions.

25.7 ICEPAY notifies the Customer in advance of the scope of the intended maintenance to the Infrastructure, if this maintenance leads to problems concerning access to the Payment Services. ICEPAY has the right, without being obliged to pay compensation, to make changes to the ICEPAY Infrastructure that could have an impact on the browsers used by the Customer. ICEPAY will notify the Customer thereof.

26. Availability of the Payment Services

26.1 ICEPAY ensures that the Payment Services are available. ICEPAY strives for an availability rate of:
a) 99% from Monday to Friday between 06:00 and 24:00 hours (CET);
b) 98% from Monday to Friday between 24:00 and 06:00 hours (CET);
c) 97% from Saturday to Sunday between 00:00 and 24:00 hours (CET).

26.2 The rate mentioned in article 26.1 is measured over a calendar year. Time for maintenance is not included.

26.3 ICEPAY strives to implement all useful and necessary measures to ensure the continuity of the Payment Services by means of common virus protection software.

26.4 ICEPAY strives to provide sufficient security against unlawful access by third parties to the computer equipment and computer software used by ICEPAY and/or the data that have been stored.

27. Using of Identification Details

27.1 ICEPAY makes the Identification Details available to the Customer exclusively for the use of the Payment Services. The Customer handles the Identification Details with due care. The Customer notifies ICEPAY in case of loss, theft and/or other forms of unlawful use. ICEPAY is not liable for abuse and/or unlawful use of the Identification Details.

27.2 Identification or suspicion of abuse of the Identification Details constitutes default on the part of the Customer. In such cases, ICEPAY will have the right to issue instructions to the Customer in order to end the abuse.

28. The Customer’s data traffic

28.1 ICEPAY commits that it will observe confidentiality concerning the information related to the Transactions, which are processed for the Customer and ICEPAY will implement the necessary technical and organisational measures with respect to the processing and storage of data pertaining to Transactions. In principle, Transaction Data are laid down by ICEPAY in such a manner that they can be consulted by the Customer for a period of at least one year after they were recorded. They are then archived by ICEPAY in accordance with the statutory requirements.

28.2 The Customer is responsible for the content of its data traffic in accordance with the code of conduct set out in article 30 and for creating Backups. 28.3 The Customer indemnifies ICEPAY against third-party claims in connection with (the content of) the data traffic or information originating from the Customer.

28.4 ICEPAY will cooperate in transferring Transaction Data and/or other data to another application for the Customer’s account if such is requested by the Customer. ICEPAY never guarantees that the Transaction Data present and/or the other data can be transferred to another application or another payment service provider during the term of the Contract and/or after the Contract has ended.

29. Personal Data

29.1 The Customer is responsible for protecting the personal and other data that are processed within the context of the Payment Services for the Customer. ICEPAY will process the Transaction Data on the basis of its role as Data Processor in accordance with the Personal Data Legislation and for this purpose it will comply with all instructions issued by the Customer (Customer acting as Data Controller).

29.2 The Customer indemnifies ICEPAY against all claims in connection with invasion of privacy (it includes among others, but is not limited to, all fines imposed to ICEPAY by data protection supervisory authorities, all costs in connection to potential/actual data breach).

29.3 To the extent the Customer has the right to do so, the Customer agrees to the processing of the personal and other data of the Customer, the End Users as regards the performance of this Contract and receipt of Third Party Services. This processing of personal data includes among other things Identification Details and Transaction Data and is only accessible to ICEPAY, its subcontractors, Suppliers of Payment Methods and third parties to the extent this is necessary for the performance of the Contract (subject to ensuring that the sub-processor has implemented substantially the same level of protection, as required under the GDPR). These data are not disclosed to third parties with the exception of those cases in which ICEPAY is obliged to do so pursuant to the law or a court order or the consent of the data subject has been obtained. In the latter case, ICEPAY will notify the Customer immediately of such disclosure (provided such is allowed by law). ICEPAY is not liable for abuse of these data by third parties.

29.4 With the exception of the provisions of article 29.1, ICEPAY is responsible for the protection of personal data that are processed and/or stored in the ICEPAY Infrastructure, and will take appropriate steps to ensure that persons authorised to process personal data are under a contractual, professional or statutory obligation of confidentiality.

29.5 ICEPAY acts on the instructions of the Customers as regards the processing of personal data. Processing of personal data takes place exclusively within the context of the performance of the Service, unless processing is required by EU regulations, in which case ICEPAY shall specifically inform the Customer (within legal framework) before processing that Personal data.

29.6 Both Parties ensure they have implemented appropriate organisation and technical solution to secure the right level of protection over processing of personal data.

29.7 In case the data subject will want to exercise their rights or file a complaint under the GDPR, ICEPAY will promptly inform the Customer of such event. In case of a personal data breach, ICEPAY shall immediately inform the Customer of such event and assist the Customer in complying with its reporting obligations.

29.8 Customer needs to comply with the data protection legislation of the country of origin, but also of the countries where he is operating and offering their services.

29.9 If End Users have direct access to the Service, the Customer will be responsible for providing information concerning rights pursuant to the Personal Data Legislation to the persons whose personal data are processed and compliance with the other provisions of this act.

29.10 Customer will ensure to obtain and provide all necessary consent, to extend necessary for the processing of personal data, that ICEPAY require for delivering the Payment Services. Personal data will be kept on file for the duration of the contract and after, to minimum for the period necessary for dealing with chargebacks, etc. Upon the termination or expiry of the ICEPAY Contract, all personal data shall be deleted, unless explicitly agreed otherwise by the Parties or required under the rules and regulations.

29.11 In case of the processing within the Cardholder data environment: the disclosure of cardholder data is prohibited; the Customer must not disclose the cardholder data to third parties, expect from the purpose necessary for dealing with ICEPAY Services, chargebacks, retrievals, other legally required orders; both Parties ensure high level of internal controls and technical and organisational solutions over the access to cardholder data (e.g. PCI DSS).

30. Code of conduct

30.1 The Payment Services must be used in a responsible manner. It is not allowed to use the Payment Services in such a manner that:
a) the Infrastructure could be damaged; and/or
b) disruptions to their use may occur.

30.2 It is not allowed to use the Payment Services, including the payment methods, for illegal purposes and/or to use them in contravention of the Contract and/or in contravention of the required certainty for End Users, Customers and/or ICEPAY. This includes among other things but is not limited to the following acts and conduct:
a) infringement of third-party rights or enabling the infringement of third-party rights, such as but not limited to intellectual property rights and privacy rights;
b) failure to comply with the applicable legislation and/or other relevant regulations;
c) (possibly) causing damage to payment networks or the brands of the Suppliers of Payment Methods;
d) spamming (unsolicited dissemination (or, at any rate, making this possible for third parties) of advertisements and other communications);
e) storing/disseminating (animal and/or child) pornography;
f) sexual intimidation, discrimination and/or bothering persons in any other way;
g) dissemination or otherwise making obscene, offensive and hurtful material and/or material of such nature, available to third parties;
h) threats;
i) storing and spreading viruses, worms and/or other destructive activities;
j) unauthorised breaking into (hacking) accounts, systems and/or networks owned by third parties and/or ICEPAY and/or performing and/or omitting any other act that makes hacking possible.

30.3 ICEPAY and/or the Suppliers of Payment Methods are liable for losses sustained by the Customer and/or third parties as a result of measures implemented by ICEPAY as referred to in the previous paragraph, such without prejudice to the Customer’s obligation to pay the agreed amounts.

30.4 If the seriousness of the acts and/or failure to act on the part of the Customer justifies such and/or the acts and/or failure to act is continued, despite the measures implemented by or on behalf of ICEPAY, as set out in article 30.2, ICEPAY will have the right to dissolve the Contract, without ICEPAY being obliged to pay any compensation in this connection or to refund amounts that have already been paid.

D. THIRD PARTY SERVICES

31. General

31.1 The Customer acknowledges that the use of certain payment methods requires the consent of the Suppliers of Payment Instruments. Several payment methods also create an agreement between the Customer and the Suppliers of Payment Instruments, which agreement is subject to the Third Party General Terms and Conditions. The Customer bears the risk concerning the actual provision of the Third Party Services by the Suppliers of Payment Instruments, including the payment of payments made by Suppliers of Payment Instruments, with or without intervention on the part of ICEPAY.

31.2 The Suppliers of Payment Methods that provide Third Party Services are not considered to be subcontractors of ICEPAY. ICEPAY is not responsible for the sustained offer, availability or proper operation of the payment and other services and payment methods of the Supplier of Payment Instruments.

31.3 The Customer acknowledges that the Suppliers of Payment Instruments and/or the issuers of the Rules & Regulations have the right to deny the Customer access to the relevant payment instrument or payment network at any time, without the aforementioned parties and/or ICEPAY being liable in this connection.

31.4 ICEPAY does not perform Maintenance, Support or other services with respect to the Third Party Service, unless agreed otherwise in writing.

31.5 As regards the Third Party Services that have been provided, ICEPAY arranges, if such has been agreed, for the servicing and warranty of the hardware delivered by third parties (such as payment terminals), subject to the conditions of the Third Party General Terms and Conditions.

31.6 The Customer only has the right to place the name and logo of the relevant Supplier of Payment Methods on the Customer’s website subject to the terms and conditions of the Suppliers of Payment Methods. The Customer acknowledges that the Suppliers of Payment Methods are the exclusive owners/licence holders of the brands of a payment method and that it will never contest this. ICEPAY has the right to suspend and/or dissolve the Contract with immediate effect (in whole or in part) in the event of any fraudulent or unlawful use of the name and/or logo of a Supplier of Payment Methods. A Supplier of Payment Methods has the right at all times to demand that the Customer ceases the use of its name and/or logo.

Full list of ICEPAY Supplier Payment Methods is included on http://www.icepay.com

E. PAYMENT

32. Prices and payments

32.1 All payable amounts are calculated in accordance with the Price List and are exclusive of VAT and other levies. The payable amounts will be invoiced in euros including VAT, other levies and any order costs, dispatch costs, hourly wages, travel and waiting time compensations, the actual travel and accommodation costs incurred and the other costs (incurred by third parties) related to the activities.

32.2 ICEPAY invoices the payable amounts each month unless agreed otherwise, subject to a payment term of 14 (fourteen) days. ICEPAY has the right to set off the invoiced amounts.

32.3 If the Customer fails to comply with a payment obligation, the Customer will be in default without requiring notice of default for this purpose. The Customer owes ICEPAY the costs and statutory interest as set out in article 23.8.

32.4 ICEPAY has the right to keep in its possession the property, rights and information received or generated within the context of the Contract until the Customer has paid all amounts payable to ICEPAY. Provision of Payment Services will be suspended if the Customer is in default as regards payment of the invoiced amounts. This suspension does not alter ICEPAY’s payment obligation.

32.5 ICEPAY has the right to suspend its activities and other obligations until payment in full has been made, without prejudice to the Customer’s obligation to comply with its obligations.

33. Rate changes

33.1 ICEPAY has the right to change the transaction costs and rates in the event for example of a change to one or more cost items including but not limited thereto new legislation and regulations and/or changed exchange rates, Consumer Price Index (CPI, all households) or the Statistics Netherlands index concerning commercial services.

33.2 In case of a price adjustment independent of ICEPAY resulting in the buy rates exceeding sell rates, ICEPAY is entitled to clawback.

33.3 ICEPAY indexes its rates annually. ICEPAY will notify the Customer in writing of changes to the rates one calendar month before the change enters into effect. A change to the transaction costs becomes effective immediately after the Customer has been notified of such an increase.

33.4 If the Customer does not agree to a price adjustment, the Customer will have the right to terminate the Contract effective as from the date the price adjustment will enter into effect, provided that the overall price increase exceeds the inflation figure published by Statistics Netherlands for the current year (or the previous year for price increases announced for the coming year) by more than 10% for a period of 1 (one) year.

33.5 If the Customer initiates and/or re-negotiates the rates changes, the Customer is responsible to process that change with ICEPAY, and/or other Supplier of Payment Method (by delivering a dully signed forms), and the Customer acknowledges that the change is only effective as of the explicit confirmation by ICEPAY, and/or other Supplier of Payment Method.

34. Costs

34.1 Without prejudice to the provisions above, all costs that arise for ICEPAY from the relationship with the Customer, including but not limited to legal and other costs related to attachments levied against ICEPAY at the expense of the Customer, are for the account of the Customer within the boundaries of reasonableness.

APPENDIX 1 – GDPR: Data Processing Conditions

The terms “process/processing/processed”, “Data Subject”, “Personal Data”, “Data Controller”, Data Processor”, Personal Data Breach”, shall have the same meaning as in the Data Protection Legislation, and shall refer to the personal data of Customers or any other personal data in card data or transaction data, in each case processed by ICEPAY as part of the Services.

Definitions

Data Subject: the identified or identifiable natural person to whom the Personal Data pertain, as referred to in Article 4 at 1) GDPR.

Employee: the employees and other persons engaged by the Processor for whose activities it is responsible,cand who are engaged by the Processor for the performance of the Agreement.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data: all information relating to a Data Subject; a natural person who can be directly or indirectly identified, in particular based on an identifier such as a name, an identification number, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person, as referred to in Article 4 at 1) GDPR, is deemed identifiable.

Personal Data Breach: (suspicion of) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, as referred to in Article 4 at 12) GDPR.

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as referred to at Article 4 at 2) GDPR.

Recipient: a natural or legal person, public authority, agency or another body, whether or not a Third Party, to whom/which the Personal Data are disclosed, as referred to in Article 4 at 9) GDPR.

Service: the payment service(s) to be provided by the Processor to the Controller based on the Agreement.

Sub-processor: another processor, including but not limited to group companies, sister companies, subsidiaries and auxiliary suppliers, engaged by the Processor to perform specific processing activities at the Controller’s expense.

Supervisory Authority: one or more independent public bodies responsible for supervising the application of the GDPR, in order to protect the constitutional rights and fundamental freedoms of natural persons in connection with the Processing of their Personal Data and to facilitate the free traffic of Personal Data inside the Union, as referred to in Article 4 at 21) and Article 51 GDPR. In the Netherlands, this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, the Controller or the Processor, or the person who, under the direct authority of the Controller or Processor, is authorised to process Personal Data, as referred to in Article 4 at 10) GDPR.

In processing the Personal Data, the Parties (ICEPAY and the Customer) acknowledge that ICEPAY acts as the Data Processor and Customer as the Data Controller of such personal data. The Parties are committed to treat the Personal Data that are or will be processed for the performance of the Contract with due care, and in accordance with the GDPR and other applicable rules and regulations concerning the Processing of Personal Data. In accordance with the GDPR and other applicable rules and regulations concerning the Processing of Personal Data, this document describes the rights and obligations in respect of the Processing of the Data Subjects’ Personal Data.

Terms

1. Subject of the Data Processing Conditions.

1.1. The Data Processing Conditions form a supplement to the Platform Contract and replaces any arrangements agreed earlier between the Parties in respect of the Processing of Personal Data.

1.2. The general provisions from the Data Processing Conditions apply for all Processing under the performance of the Platform Contract. The Processor shall immediately notify the Controller if the Processor has reason to assume that the Processor can no longer comply with the Data Processing Conditions.

1.3. The Controller shall give the Processor assignments and instructions for processing the Personal Data on behalf of the Controller. The Controller’s instructions are described in more detail in this Rules as well as in the Platform Contract. The Controller may issue reasonable supplementary instructions in writing.

1.4. The Processor shall process the Personal Data exclusively on assignment from the Controller and on the basis of instructions from the Controller. The Processor shall exclusively process the Personal Data in so far as the processing is necessary for the performance of the Platform Contract, and never for its own use, the use of Third Parties and/or other purposes, unless required so by the contractual or legal obligations. In that event, the Processor shall notify the Controller of this provision prior to the Processing, unless that legislation prohibits such notification for serious reasons of public interest.

1.5. The Processor and the Controller shall comply with the GDPR and other applicable rules and regulations concerning the Processing of Personal Data. The Processor shall immediately notify the Controller if, in the opinion of the Processor, an instruction from the Controller breaches the GDPR and/or other applicable rules and regulations concerning the Processing of Personal Data.

1.6. If the Processor determines the purpose and means of the Processing of Personal Data in violation of the Data Processing Conditions and/or the GDPR and/or other applicable rules and regulations concerning the Processing of Personal Data, the Processor is deemed the Controller for that Processing.

2. Processing of Personal Data In performing the Payment Services (as agreed and specified in the ICEPAY Conditions), the following activities may include the Processing of Personal Data:

• authentication of Customer access to an account;
• communication with Customer about the account, the website, the services;
• management of our business needs, such as monitoring, analysing, and improving our services;
• assessment and acceptance of (potential) Customers as part of the onboarding / customer due diligence process (performance of the company checks, evaluation of applications, and comparison of information for accuracy and verification purposes);
• performing sanction checks and PEP (politically exposed person) checks on directors and ultimate beneficial owners orcustomers;
• creation of an account connection between the Customer account and a third-party payment method (as requested by Customer) and forwarding of transaction details to the relevant payment method supplier^1 /acquirer (sub-processors) for the performance of the Platform Contract and settlement purposes;
• performance of (targeted) marketing activities designed to establish a relationship with a Customer and/or maintain or extend a relationship with a Customer;
• management of risk and protection of the services and the Customer from fraud by verifying Customers identity, and helping to detect and prevent fraud and abuse of our services;
• forwarding to external suppliers relating to activities aimed at preventing and combating fraud;
• providing information on its Customers/transactions to supervisory bodies, if a transaction is considered unusual; and
• compliance with our obligations and to enforce the terms of our services, including to comply with all applicable laws and regulations.

ICEPAY may be processing the following Personal Data categories:

• Customers (e.g. Name, Date of Birth, ID number,Address, Phone number, Email, IP address, etc.);
• Consumers/End users (e.g. Name, Bank details, Address, Phone number, Email, IP address, etc.);
• Website visitors (e.g. Name, Location, IP address, etc.).

3. Cooperation and assistance

The Processor will assist and cooperate with the Controller in complying with the obligations borne by the Parties on the basis of the GDPR and other applicable rules and regulations concerning the Processing of Personal Data.

4. Access to Personal Data

4.1. The Processor shall limit access to Personal Data by Employees, Sub-processors, Third Parties and other Recipients of Personal Data to a necessary minimum, and what is necessary for the performance of the Contract.

4.2. Based on a strict Access Control, the Processor provides access only to Employees, who must have the access to Personal Data in the performance of the Platform Contract.

4.3. Customer generally authorises ICEPAY to engage with sub-processors (e.g. Supplier of Payment Methods) to process the Personal Data on its behalf in accordance with the Platform Contract, subject to: ICEPAY ensuring that it has a contractual agreement with any sub-processor, and which apply substantially the same level of protection as specified under the GDPR; and the Processor remains liable to the Customer for the performance of any processing operations transferred to the sub-processor.

4.4 At the Controller’s request, the Processor shall provide to the Controller a list of the Sub-processors engaged by the Processor.

5. Security

The Processor will take appropriate technical and organisational measures to safeguard an appropriate level of security, so that the Data Processing complies with the requirements under the GDPR and other applicable rules and regulations, and the protection of the rights of Data Subjects is safeguarded.

6. Audit

The Processor is obliged to periodically have an audit in respect of the Processor’s organisation, in order to demonstrate that the Processor complies with the provisions of the Platform Contract, the Data Processing Conditions, the GDPR and other applicable rules and regulations concerning the Processing of Personal Data.

7. Personal Data Breach

7.1. Without undue delay, and in any case, no later than within 24 hours after discovery, the Processor shall notify the Controller of a Personal Data Breach or a reasonable suspicion of a Personal Data Breach. The Processor shall notify the Controller via the Controller’s main contact person, including the sufficient level of details. The Processor warrants that the information provided is complete, correct and accurate.

7.2. If and in so far as it is not possible for the Processor to simultaneously provide all of the details regarding the data breach, the information may be provided to the Controller step-by-step without undue delay and, in any case, no later than within 24 hours after the discovery.

7.3. The Processor has adequate policy and procedures to detect, notify and respond to Personal Data Breaches. The Processor takes measures to prevent or limit (further) unauthorised disclosure, alteration and provision or otherwise unlawful Processing, and to prevent repetition of the same.

7.4. The Processor will maintain a detailed register of all Personal Data Breaches that relate to or are connected with the (performance of the) Platform Contract. At the Controller’s request, the Processor shall provide the Controller with a copy of this register.

7.5. Notifications and communication regarding the Data Breach shall be sent to: compliance@icepay.com

8. Transfer of Personal Data

Personal Data may be transferred to third parties and/or countries or international organisations only if there is an appropriate level of protection and the Controller has given specific consent for this. The Processor is exclusively entitled to these transfers to third countries or international organisations, unless a provision under EU law or under Member State law requires the Processor to perform Processing. In that event, the Processor shall notify the Controller of this provision prior to the Processing, unless that legislation prohibits such notification for serious reasons of general interest.

9. Confidentiality

9.1. All Personal Data are qualified as confidential and must be treated as such. Any breach of confidentiality or unlawful disclosure is considered a Breach of Personal Data.

9.2. Exceptions from disclosure includes:
i. Disclosure and/or provision of the Personal Data is necessary in the context of the performance of the Platform Contract or the Data Processing Conditions;
ii. Any mandatory statutory provision or court decision requires the Parties to disclose and/or provide the Personal Data, in which case the Parties shall first notify the other Party of this;
iii. Disclosure and/or provision of the Personal Data takes place with prior consent from the other Party.

10. Changes notification

The Processor is obliged to immediately notify the Controller of proposed changes in the offered Service, the performance of the Platform Contract and the performance of the Data Processing Conditions in cases it concerns the Processing of Personal Data. Changes that concern the Processing of Personal Data may never result in the Controller being unable to comply with the GDPR and/or other applicable rules and regulations concerning the Processing of Personal Data.

11. Requests from Data Subject

In the event that a Data Subject submits a request for the execution of his/her legal rights to the Processor, the Parties will deal with the request of the Data Subject in mutual consultation.

12. Liability

Parties agree that the normal statutory regulation applies with regard to liability.

13. Termination

The term of the Data Processing Conditions is the same as the term of the Platform Contract. The Data Processing Conditions cannot be terminated separately from the Platform Contract.

14. Applicable law

The Data Processing Conditions and its performance are governed by the laws of the Netherlands.